Skip to main content

Configure MFA

Configure MFA settings in Logto

Follow these steps to enable MFAs in users’ Logto sign-in flow:

  1. Navigate to: Console > Multi-factor auth.
  2. Enable the supported verification factors for your users.
    1. Primary factors:
      • Authenticator App OTP: The most common and widely accepted method. Use a time-based one-time password (TOTP) generated by an authenticator app like Google Authenticator or Authy.
      • Passkeys (WebAuthn): A high-security option suitable for web products supporting device biometrics or security keys, etc., ensuring robust protection.
    2. Backup factors:
      • Backup codes: This serves as a backup option when users can't verify any of the primary factors mentioned above. Enabling this option reduces friction for users' access successfully.
  3. Select the MFA policy settings for the users:
    • User-controlled MFA: Users can skip the MFA setup process during sign-up flow. They may choose to set up MFA later through your self-service account settings page or Logto hosted account settings page (coming soon). Learn more about implementing a user account settings page.
    • Admin-enforced MFA: You can enforce MFA for all users. Users will be prompted to set up MFA during the sign-in process which cannot be skipped. If the user fails to set up MFA or deletes their MFA settings, they will be locked out of their account until they set up MFA again.

MFA settings

MFA user flow

MFA set-up flow

Once the MFA is enabled, users will be prompted to set up MFA during the sign-in and sign-up process. Users can choose to skip this setup process if and only if the “User-controlled MFA“ policy is enabled.

  1. Visit sign-in or sign-up page: The user navigates to the sign-in or sign-up page.
  2. Completes sign-in or sign-up: The user completes the identity verification process within the sign-in or sign-up flow.
  3. Set up MFA primary factor: The user is prompted to set up their primary MFA factor (either Authenticator app OTP or WebAuthn). If multiple primary factors are enabled, they can choose their preferred option. If the “User-controlled MFA” policy is enabled, they can also skip this step by selecting the "Skip" button.
  4. Set up MFA backup factor: If Backup codes are enabled, the user is prompted to set up backup codes after successfully configuring their primary authentication factor. Auto generated backup codes will be displayed to the user, which they can download and store securely. User must manually confirm the backup codes to complete the MFA setup process.

MFA set-up flow

MFA verification flow

Users who have set up MFA will be prompted to verify their identity using their configured MFA factors during sign-in. The verification factor will depend on the MFA configuration in Logto and the user settings.

  • If a user has set up only one factor, they will verify it directly.
  • If a user has set up multiple factors as 2FA, they will need to choose one to verify.
  • If all the enabled primary factors are not available to the user, and backup code is enabled, they can use the one-time backup code to verify their identity.

MFA verification flow