Multi-Factor Authentication (MFA) adds a layer of security to your app. Require users to verify their identity upon login, for sensitive actions like transactions, or both. This guide covers how to implement both account-based and action-based MFA using either the Dynamic Widget or headless hooks for a custom UI.

Account-Based MFA

With account-based MFA, users must complete an MFA challenge on every login.

Setup

  1. Go to the Security page.
  2. In the Account MFA section, enable your desired methods (TOTP and/or Passkeys).
  3. (Optional) Toggle “Require at onboarding” to force MFA setup during signup.
  4. (Optional) Toggle “Session-based MFA” to require MFA for every new session.
  5. Click Save Changes.

Implementation

Using the Dynamic Widget

The Dynamic Widget automatically handles the entire account-based MFA flow, including device registration, authentication, and recovery codes. No extra code is needed.

Using your UI (headless/hooks)

For full UI control, use our headless hooks to build a custom MFA experience. This approach is more complex but allows complete UI and flow customization. See our step-by-step guides for detailed instructions:

Headless TOTP Guide

Build a custom TOTP experience with authenticator apps.

Headless Passkeys Guide

Implement a custom Passkey MFA flow for your application.

Action-Based MFA

Require users to complete MFA only for sensitive actions, like signing transactions or exporting private keys. This is more user-friendly while still protecting critical operations.

Setup

  1. Go to the Security page.
  2. In the Account MFA section, enable your desired methods (TOTP and/or Passkeys).
  3. Click the settings gear next to the MFA header.
  4. Toggle on Action based MFA.
  5. Click Save Changes.

Implementation

Using the Dynamic Widget

The Dynamic Widget automatically prompts for MFA when a user attempts a protected action. No extra code is needed.

Using your UI (headless/hooks)

For full UI control, use our headless hooks to build a custom MFA experience. See our step-by-step guides for detailed instructions:

Headless TOTP Guide

Build a custom TOTP experience with authenticator apps.

Headless Passkeys Guide

Implement a custom Passkey MFA flow for your application.

Device Management & Recovery

Users might need to delete an MFA device if it’s lost or replaced, or an admin may need to reset a user’s MFA.

Device Management

Manage user MFA devices and recovery.