Multi-factor Authentication (MFA)

Descope provides the ability to add layered security to your application by implementing Multi-factor Authentication (MFA). MFA is an authentication method that requires the user to provide two or more separate pieces of evidence to verify their identity. For example, the first factor can be an OTP sent to the user’s phone or email, and the second factor can be biometric authentication. Using more than one factor greatly reduces the chance of attackers compromising a user’s account.

With Descope, you can implement MFA within your application using either Flows, Client SDKs, or Backend SDKs. Irrespective of the implementation method, once MFA has been successfully completed, the returned JWT will include mfa within the amr claim of the JWT.

{
  "amr": [
    "oauth",
    "sms",
    "mfa"
  ],
  "drn": "DS",
  "exp": xxx,
  "iat": xxx,
  "iss": "xxxxxx",
  "rexp": "2024-08-08T14:24:58Z",
  "sub": "xxxxxx"
}

With Flows

In Descope, MFA is implemented as a sequence of two or more authentication methods that provide different pieces of evidence. As the developer, you have the flexibility to determine how you want to implement MFA in your flow.

For example, you could create an MFA flow that:

• Starts with a password, followed by TOTP verification
• Uses social login, then requires a one-time password sent via SMS
• Begins with passkeys, followed by a magic link via email
• Combines any other authentication methods that provide different pieces of evidence

The key is that users must successfully complete multiple authentication steps using different pieces of evidence before gaining access. This approach gives you the flexibility to choose the authentication methods that best balance security and user experience for your specific use case.

Check out the MFA section of our flow library for more examples of flows that implement MFA.