Actions are the foundation for implementing multi-factor authentication (MFA) and step-up authentication in your application. By tracking specific user activities as actions, you can apply contextual security policies that challenge users when needed.

MFA on login

The most common MFA scenario is requiring additional authentication after a user’s primary credentials (username and password) have been validated.

Here’s how the flow works with Authsignal:

Implementation

  1. Track the login action after validating primary credentials:
const request = {
  userId: "dc58c6dc-a1fd-4a4f-8e2f-846636dd4833",
  action: "signIn",
  attributes: {
    redirectUrl: "https://yourapp.com/callback",
  },
};

const response = await authsignal.track(request);

const url = response.url;
  1. Handle the response based on the action state:

    • If CHALLENGE_REQUIRED: Redirect user to the authentication flow
    • If ALLOW: Proceed with login
    • If BLOCK: Deny access
    • If REVIEW: Review the challenge
  2. Follow the standard integration steps covered in actions getting started to launch the challenge URL and validate the result.

Step-up authentication

Step-up authentication challenges users when they perform sensitive operations, even if they’re already logged in. This is ideal for high-risk actions like financial transactions, account settings changes, or data exports.

Common step-up scenarios

  • Financial transactions: Challenge for payments above a certain threshold
  • Account changes: Require authentication for email/password changes
  • Administrative actions: Challenge admin users for sensitive operations
  • Data access: Authenticate before accessing sensitive information

Combining with rules for adaptive MFA

While actions define what to protect, rules define when to challenge users. You can create adaptive MFA flows by combining actions with rules:

  • Challenge only on new devices
  • Require stronger authentication for high-risk IP addresses
  • Skip MFA for trusted locations
  • Apply different requirements based on user risk scores

Learn more about implementing adaptive MFA with rules.