Multi-factor Authentication

Multi-factor Authentication (MFA) is an authentication method that requires users to provide two or more verification factors to gain access to a resource. Enabling MFA on your site with ReachFive ensures your users must verify their login with a second factor (sms code, email link, etc.).


In order to use MFA, you must have the following features enabled and configured on your account:

  • SMS if using phone numbers as a second factor; not required if only using email

  • Passwordless

  • SSO

See the MFA methods in the Core SDK or the MFA endpoints in our Identity API for more information on using the MFA flow.
Why use MFA and Stepup authentication?

One of the best benefits of MFA with ReachFive is that it improves your organization’s security by requiring users to identify themselves with more than just a username and password when logging into their account or accessing specific resources. Traditional credentials are great, but they can be vulnerable to brute force attacks.

When you enable MFA on your ReachFive account, it ensures your users that their experience is secure while extensively reducing the chances of their private information being stolen.

MFA settings

You can manage your MFA settings directly in the ReachFive Console.

Enable second factors for MFA

You can enable both email and SMS (or just one) as a second factor for your users to use in the MFA/stepup flow.

  • Email = This means that you users can use their email as the second factor in the MFA flow (and will receive an email with the link or verification code as part of that flow).

  • SMS = This means that you users can use their mobile as the second factor in the MFA flow (and will receive an SMS with the verification code as part of that flow).

    This is only available to customers who have the SMS feature activated.

To enable the second factors:

  1. From your ReachFive Console, go to MFA  Settings.

  2. Toggle the second factor that you would like to enable.

  3. Don’t forget to Save your input.

    settings toggle second factor

Require MFA for login

It’s possible to enforce MFA all the time for the login flow if desired for users with a registered second factor MFA credential.

This is only enforced when users have a registered second factor credential for MFA. If they do not have a credential registered, then the stepup is not required for that user to log in.
Option Notes


Users are always required to validate a second factor to log in.


Users are never required to validate a second factor to log in.

To set the requirements for logging in:

  1. From your ReachFive Console, go to MFA  Settings.

  2. Choose Always or Never.

  3. Don’t forget to Save your input.

    mfa settings require MFA always

Stepup authentication

Stepup authentication is a little different than traditional MFA, but it offers a balance between unnecessary friction in the user experience and enhanced security when accessing sensitive information.

You must have MFA enabled on your ReachFive Console to use Stepup authentication.

There are two subsections here:

Stepup authentication is best used for specific actions such as:

  • Paying with a credit card

  • Changing personal account details

  • Adding authentication information

  • Logging in from a new device or location

These are just examples and don’t represent all possible times you might use Stepup authentication.

MFA flow with Stepup authentication

When a user is already logged in, but they want to access something secure or perform a sensitive action (like purchasing a product), you can configure the Stepup authentication flow. See the accompanying MFA flow table to follow along with the flowchart.

The flow below assumes the user has already signed up to your site.
MFA Flow table
Step Core JS SDK method API operation Notes



User logs in

User logs into the site.

The user can log in other ways than just using a password of course. See the other options in the Core SDK method list.


User browses the site; visits a product page.



List MFA credentials

Ensures the user has MFA credentials and has completed the registration process.

This can be via mobile phone or email.



Start MFA registration

Registers the user’s phone number for use as an MFA credential (second factor).

This step shows registering with a phone number, but you can also register with an email.



Verify MFA registration

Verifies the user’s phone number for use as an MFA credential (second factor).

This step shows verifying a phone number, but you can also verify an email.



Initiate stepup flow

Initiates the stepup flow.



Start Passwordless MFA

Starts the passwordless flow for MFA using the step_up token received in the stepup flow initiation.



Verify Passwordless MFA

Verifies the passwordless flow for MFA with the user verification code and challenge_id.



Retrieve access token

Exchanges the authorization code for a new access token.


Decode the token

Confirms "mfa" is part of the user’s "amr" array.

    "amr": [


Product purchased.

Using the stepup endpoint

When you use the stepup endpoint to initiate the stepup flow, you can start the flow in one of three ways.

See the table below for accompanying details to the flowchart.


Stepup options
Approach Description

SSO session cookie


Using a current, active SSO cookie initiates the stepup flow.

With the SSO session cookie, the cookie is deposited by the SDK into the browser. This way, it can’t be leaked or used on another domain.

It only works in conjunction with the Core SDK.


POST https://YOUR_DOMAIN/identity/v1/mfa/stepup


  "client_id": "nvR2y0ks...EgCW2dqy",
  "response_type": "code",
  "scope": "openid phone address profile mfa",
  "redirect_uri": ""

tkn in request body


Passing a valid tkn in the request body initiates the stepup flow. The tkn comes from the user login. Essentially, users must log in to have a fresh authorization.


POST https://YOUR_DOMAIN/identity/v1/mfa/stepup

  "client_id": "nvR2y0ks...EgCW2dqy",
  "response_type": "code",
  "scope": "openid phone address profile mfa",
  "redirect_uri": "",
  "tkn": "xhNGxw...70zx32" (1)
1 The one-time use authentication token.

access_token in AUTH header

Passing the access_token in your Authorization header initiates the stepup flow.

We recommend that you only use this approach if you are unable to use the SSO session cookie or tkn approach.
We can’t ensure how fresh the token will be in this case or if it has been leaked. Therefore, we strongly recommend against using this approach. It should be implemented as a last resort only.


POST https://YOUR_DOMAIN/identity/v1/mfa/stepup

AUTHORIZATION: Bearer {access_token}

  "client_id": "nvR2y0ks...EgCW2dqy",
  "response_type": "code",
  "scope": "openid phone address profile mfa",
  "redirect_uri": ""

MFA user experience

By enabling MFA with ReachFive on your site, you can provide a secure, frictionless user experience.

A typical user journey is when Stepup authentication is configured so that MFA is only required during sensitive actions like making a purchase or changing personal details, similar to the video below.

You can configure a template that is sent to users like in this experience on the ReachFive Console.