Introduction

This guide will show you how to enable Dynamic’s Account based Multi-Factor Authentication (MFA) in your app.
Dynamic offers two different types of multi-factor authentication: account based and action based. At the account level, users must complete 2FA on login, while at the action level, they must complete 2FA when performing a specific action.(And yes, we know it might be a bit confusing. Just remember: one MFA is for logging in, the other is for performing actions after logging in. Think of it like locking your front door and then locking the safe inside!)

Supported methods

Dynamic currently supports the following MFA methods:
  • Authenticator app (e.g. Google Authenticator or Authy)
  • Passkeys

Setup

  1. Make sure you are on the latest Dynamic packages
  2. Go to the Security page in your developer Dashboard.
  3. In the Account MFA section, enable the methods you want enabled, then click Save Changes.
  4. Optionally, you can require users to MFA on signup by clicking on the settings gear to the right of the MFA header, then toggle on “Require at onboarding”
That’s it! Make sure you are using the same environment id from the SDK & API Keys page in your app. When you sign in to your app, you will be prompted to MFA if you toggled on “Require at onboarding”, otherwise you will be able to optionally add MFA from the user profile section of the Dynamic widget.

Action based MFA

Action based MFA is a more granular way to require MFA for specific actions in your app. For example, you can require MFA for creating a transaction, or for exporting a private key. To enable action based MFA, you need to:
  1. Follow the steps above to enable MFA methods.
  2. In the Account MFA section, clicking on the settings gear to the right of the MFA header, then toggle on “Action based MFA”, then click Save Changes.
  3. In the SDK use the getMfaToken function returned from the useGetMfaToken hook to check if the user has an MFA token to perform the action.
  4. If no MFA exists you can prompt the user to perform MFA by using one of the following methods:
import { usePromptMfaAuth, useAuthenticatePasskeyMFA, useMfa } from '@dynamic-labs/sdk-react-core';
const promptMfaAuth = usePromptMfaAuth();

// Dynamic UI
promptMfaAuth({
  createMfaToken: true,
});

// Headless Passkey
const authenticatePasskeyMFA = useAuthenticatePasskeyMFA();
authenticatePasskeyMFA({
  createMfaToken: true,
});

// Headless Totp
const { authenticateDevice } = useMfa();
authenticateDevice({
  code, // The code from the user's authenticator app
  createMfaToken: { singleUse: true },
});
  1. Perform the action.

Supported actions

Dynamic Wallet-as-a-Service (WaaS)

Sign
  • signMessage
  • signTransaction
  • signTypedData
  • signRawMessage
  • signAuthorization
Export
  • exportPrivateKey
Reshare
  • delegateKeyShares
Refresh
  • refreshWalletAccountShares

Supporting users who lose access to their MFA methods

Please ensure you only delete MFA methods after confirming the identity of your end users.
In the event that one of your users contacts you that they lost access to their authenticator device or passkey, you can remove their MFA methods by going to the User Management table.
  1. Go to the User Management table.
  2. Find the user by searching based on email, username, or other verified credentials.
  3. Open the details panel and click the button to reset MFA.
  4. Confirm you are resetting MFA for the correct user.
  5. Click the button to reset MFA.