Multi-Factor Authentication

Overview#

The Multi-Factor Authentication (MFA) module provides layered security across multiple authentication methods including authenticator apps (TOTP), SMS and voice codes, biometrics, hardware security keys (FIDO2), and backup codes. Risk-based authentication intelligently prompts for MFA only when anomalies are detected, balancing security with user experience.

Key Features#

• Authenticator App Support (TOTP) - Industry-standard time-based one-time passwords compatible with all major authenticator apps including Google Authenticator, Microsoft Authenticator, Authy, 1Password, Duo Mobile, and any RFC 6238-compliant application. QR code enrollment enables setup in seconds.

• SMS and Voice Authentication - Mobile-based verification via SMS text messages and voice calls with global coverage across 195+ countries. Multi-language support with automatic carrier detection and failover between providers for reliable delivery.

• Biometric Authentication - Fingerprint, facial recognition, and voice recognition support across iOS (Face ID, Touch ID), Android (BiometricPrompt), Windows (Windows Hello), and web browsers (WebAuthn/FIDO2). Biometric data never leaves the user's device.

• Hardware Security Keys (FIDO2) - Phishing-resistant authentication with physical security keys including YubiKey, Google Titan, and other FIDO2-compliant devices. Supports passwordless authentication with resident credentials and passkeys.

• Backup Codes and Recovery - Emergency single-use backup codes with multiple recovery options including recovery email, recovery phone, trusted contacts, and administrator-assisted recovery. Users are never permanently locked out.

• Risk-Based Authentication - Intelligent analysis of device trust, location, behavioral patterns, and network reputation to determine when MFA is needed. Trusted devices and networks can receive reduced friction while unfamiliar contexts trigger stronger verification.

• Step-Up Authentication - Sensitive operations (such as changing security settings, accessing classified data, or administrative actions) can require additional verification regardless of the initial login risk level.

• Self-Service MFA Management - Users can enroll and manage their own MFA devices, generate backup codes, and configure recovery methods through an intuitive self-service portal, reducing helpdesk burden.

Supported Authentication Methods#

Use Cases#

• Zero-trust security with mandatory MFA enforcement across all users, with risk-based policies to minimize friction for legitimate access.
• Phishing prevention using hardware security keys and biometric authentication that are resistant to credential interception attacks.
• Regulatory compliance meeting MFA requirements for SOC 2, HIPAA, PCI DSS, and NIST 800-63B at the appropriate assurance levels.
• Remote workforce security with device-based trust and location-aware authentication for users accessing the platform from anywhere.
• Progressive security adoption using risk-based authentication to introduce MFA gradually, starting with high-risk scenarios and expanding based on organizational readiness.

Getting Started#

1. Enable MFA Policies - Configure which authentication methods are available and which are required for your organization.
2. User Enrollment - Launch self-service enrollment for users to set up their preferred MFA methods.
3. Configure Risk Thresholds - Set risk score boundaries to determine when additional authentication is required.
4. Monitor Adoption - Track MFA enrollment and usage through the authentication analytics dashboard.

Availability#

• Enterprise Plan: Included (all methods, risk-based authentication, hardware key support)
• Professional Plan: TOTP and SMS included; biometric, FIDO2, and risk-based authentication available as add-on

Last Reviewed: 2026-02-05