Implementing MFA
Learn how to implement MFA and step-up authentication across your application using Authsignal actions.
Actions are the foundation for implementing multi-factor authentication (MFA) and step-up authentication in your application. By tracking specific user activities as actions, you can apply contextual security policies that challenge users when needed.
MFA on login
The most common MFA scenario is requiring additional authentication after a user’s primary credentials (username and password) have been validated.
Here’s how the flow works with Authsignal:
Implementation
- Track the login action after validating primary credentials:
-
Handle the response based on the action state:
- If
CHALLENGE_REQUIRED
: Redirect user to the authentication flow - If
ALLOW
: Proceed with login - If
BLOCK
: Deny access - If
REVIEW
: Review the challenge
- If
-
Follow the standard integration steps covered in actions getting started to launch the challenge URL and validate the result.
Step-up authentication
Step-up authentication challenges users when they perform sensitive operations, even if they’re already logged in. This is ideal for high-risk actions like financial transactions, account settings changes, or data exports.
Common step-up scenarios
- Financial transactions: Challenge for payments above a certain threshold
- Account changes: Require authentication for email/password changes
- Administrative actions: Challenge admin users for sensitive operations
- Data access: Authenticate before accessing sensitive information
Combining with rules for adaptive MFA
While actions define what to protect, rules define when to challenge users. You can create adaptive MFA flows by combining actions with rules:
- Challenge only on new devices
- Require stronger authentication for high-risk IP addresses
- Skip MFA for trusted locations
- Apply different requirements based on user risk scores
Learn more about implementing adaptive MFA with rules.