Overview#
Passwords alone are no longer sufficient protection for systems that handle sensitive data. The Multi-Factor Authentication module adds a second layer of verification across multiple methods, from authenticator apps and hardware security keys to biometrics and SMS codes. Risk-based logic means that users authenticating from familiar devices and locations face minimal friction, while unfamiliar or high-risk contexts require stronger verification.
For organisations handling classified information, patient records, or financial data, the FIDO2 hardware key and biometric options provide phishing-resistant authentication at NIST AAL3 assurance level.
Key Features#
-
Authenticator App Support (TOTP): Industry-standard time-based one-time passwords compatible with all major authenticator apps including Google Authenticator, Microsoft Authenticator, Authy, 1Password, Duo Mobile, and any RFC 6238-compliant application. QR code enrolment completes setup in under a minute.
-
SMS and Voice Authentication: Mobile-based verification via SMS text messages and voice calls with global coverage across 195+ countries. Multi-language support with automatic carrier detection and failover between providers for reliable delivery.
-
Biometric Authentication: Fingerprint, facial recognition, and voice recognition support across iOS (Face ID, Touch ID), Android (BiometricPrompt), Windows (Windows Hello), and web browsers (WebAuthn/FIDO2). Biometric data never leaves the user's device.
-
Hardware Security Keys (FIDO2): Phishing-resistant authentication with physical security keys including YubiKey, Google Titan, and other FIDO2-compliant devices. Supports passwordless authentication with resident credentials and passkeys, meeting the highest assurance level requirements.
-
Backup Codes and Recovery: Emergency single-use backup codes with multiple recovery options including recovery email, recovery phone, trusted contacts, and administrator-assisted recovery. Users are never permanently locked out.
-
Risk-Based Authentication: Intelligent analysis of device trust, location, behavioural patterns, and network reputation determines when MFA is needed. Trusted devices and networks receive reduced friction; unfamiliar contexts trigger stronger verification automatically.
-
Step-Up Authentication: Sensitive operations such as changing security settings, accessing classified data, or performing administrative actions require additional verification regardless of the initial login risk score.
-
Self-Service MFA Management: Users enrol and manage their own MFA devices, generate backup codes, and configure recovery methods through an intuitive self-service portal, reducing helpdesk burden without reducing security.
Supported Authentication Methods#
| Method | Offline Capable | Phishing Resistant | Setup Time |
|---|---|---|---|
| Authenticator App (TOTP) | Yes | No | ~45 seconds |
| SMS / Voice Code | No | No | ~30 seconds |
| Biometric (Face/Fingerprint) | Yes | Yes | ~60 seconds |
| Hardware Security Key (FIDO2) | Yes | Yes | ~90 seconds |
| Backup Codes | Yes | No | Instant |
Use Cases#
- Law enforcement agencies and intelligence organisations requiring phishing-resistant FIDO2 hardware keys for access to classified investigation systems.
- Government departments meeting NIST 800-63B AAL2 and AAL3 requirements for authenticator assurance levels.
- Financial institutions satisfying PCI DSS MFA requirements across cardholder data environments with minimal staff friction.
- Healthcare providers balancing HIPAA access control requirements with the speed clinical staff need during patient care.
- Critical infrastructure operators deploying hardware key authentication for operational technology access where credential theft would have physical consequences.
Open Standards#
- FIDO2 / W3C Web Authentication (WebAuthn Level 3): Hardware security keys, platform authenticators, and passkeys are registered and verified using the full WebAuthn registration and authentication ceremony, including attestation and assertion handling.
- NIST SP 800-63B (Digital Identity Guidelines): Risk-based authentication thresholds and method requirements are aligned to Authenticator Assurance Levels AAL1, AAL2, and AAL3 as defined in this guideline.
- RFC 6238 (TOTP): Authenticator-app one-time passwords are generated and validated using the Time-Based One-Time Password algorithm; any RFC 6238-compliant application can be enrolled.
- RFC 4226 (HOTP): The HMAC-based one-time password algorithm that underpins TOTP is implemented as defined in this specification, including the counter and truncation logic.
- RFC 8176 (Authentication Method Reference Values): JWT tokens issued after MFA carry standardised
amrclaim values (such astotp,hwk,fido, andwebauthn) to communicate the authentication methods used to downstream services. - RFC 7519 (JSON Web Token): Access tokens and step-up tokens are issued as JWTs signed with RS256, carrying MFA-related claims including
amrandstep_upfor authorisation decisions. - OpenID Connect Core 1.0 / OAuth 2.0 (RFC 6749): External SSO and OIDC callback provisioning integrates with identity providers using these protocols, enabling federated MFA enforcement across partner organisations.
Getting Started#
- Enable MFA Policies: Configure which authentication methods are available and which are required for your organisation.
- User Enrolment: Launch self-service enrolment for users to set up their preferred MFA methods.
- Configure Risk Thresholds: Set risk score boundaries to determine when additional authentication is required.
- Monitor Adoption: Track MFA enrolment and usage through the authentication analytics dashboard.
Availability#
- Enterprise Plan: Included (all methods, risk-based authentication, hardware key support)
- Professional Plan: TOTP and SMS included; biometric, FIDO2, and risk-based authentication available as add-on
Last Reviewed: 2026-02-05 Last Updated: 2026-04-14