> ## Documentation Index
> Fetch the complete documentation index at: https://docs.dynamic.xyz/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# End-User MFA

> Configure Multi-Factor Authentication for your end users to secure account access and sensitive actions.

Multi-Factor Authentication (MFA) requires users to verify their identity using a second authentication factor. MFA is structured in two parts: **enrollment** (users register a TOTP device or Passkey) and **enforcement** (when the second factor is required). Enforcement can be session-based (every login), action-based (specific sensitive actions), or both.

## MFA Methods

Users can authenticate using either of these methods:

* **TOTP (Time-based One-Time Password)**: Authenticator apps like Google Authenticator, Authy, or 1Password
* **Passkeys**: WebAuthn-based authentication using biometrics or device security keys

## Enrollment

Enrollment is when users register a TOTP device or Passkey. If using Dynamic's UI, this can be required when users are first onboarding.

**Configuration:**

* **Require at onboarding**: When enabled, users must set up MFA during signup and cannot complete signup without registering an MFA method (TOTP or Passkey).

**Behavior:**

* Users must register at least one MFA method (TOTP or Passkey).
* With "Require at onboarding" enabled and Dynamic's UI, registration is required during first-time onboarding.

## Enforcement

Enforcement is when the second factor is required. You can enable **session-based** enforcement (every login), **action-based** enforcement (specific sensitive actions), or both. Users must have completed enrollment (registered at least one MFA method) before enforcement applies.

### Session-based enforcement

When enabled, MFA is required on every login—users must complete an MFA challenge each time they start a new session.

**Configuration:**

* **Session-based MFA** (toggle in the dashboard): When enabled, MFA is required on every new login session.

**Behavior:**

* Users complete an MFA challenge on every new login session.
* This is in addition to their primary authentication method.
* Login is blocked until the MFA challenge is completed.

### Action-based enforcement

When enabled, users must verify their identity with a second factor before performing specific sensitive actions (e.g., signing, exporting keys). You can enable one or more of the events below.

<Info>
  Action-based enforcement helps protect users in two important scenarios: **if their JWT is stolen** (e.g., via phishing or a compromised session), or **if there is malware on their device**. In both cases, the attacker cannot complete sensitive actions without the second factor.
</Info>

**Events that trigger action-based enforcement:**

* **Waas Export**: When exporting a private key on an MPC wallet
* **Waas Refresh**: When a user's wallet is delegated to another device, or when they claim a pre-generated wallet for the first time
* **WaaS Sign**: When any signature is performed (message, transaction, typed data, authorization, etc.)
* **WaaS Reshare**: When a wallet's delegated access is approved or revoked and the user next signs in

**Configuration:**

* Select which events to protect with MFA (Waas Export, Waas Refresh, WaaS Sign, WaaS Reshare) in the dashboard.

**Behavior:**

* Users create an MFA token before performing the protected action.
* The token is validated when the action is executed.
* Actions are blocked until a valid MFA token is provided.

## Dashboard Configuration

Configure end-user MFA in the [Security Settings](https://app.dynamic.xyz/dashboard/settings/security) page:

1. Navigate to **Settings > Security** in the dashboard.
2. **Enrollment**: Enable TOTP and/or Passkeys; toggle "Require at onboarding" to require MFA enrollment during signup.
3. **Enforcement**: Choose when the second factor is required:
   * **Session-based**: Toggle "Session-based MFA" to require MFA on every login.
   * **Action-based**: Enable TOTP and/or Passkeys for Action MFA (if not already enabled for enrollment), then select which events to protect (Waas Export, Waas Refresh, WaaS Sign, WaaS Reshare).
     You can enable session-based enforcement, action-based enforcement, or both.

## Implementation

After configuring MFA in the dashboard, implement the MFA flow in your application using your SDK:

* [React MFA Implementation](/react/authentication-methods/mfa)
* [React Native MFA Implementation](/react-native/authentication-methods/mfa)
* [JavaScript MFA Implementation](/javascript/authentication-methods/mfa)
