Multi-factor Authentication
Multi-factor Authentication (MFA) is an authentication method that requires users to provide two or more verification factors to gain access to a resource. Enabling MFA on your site with ReachFive ensures your users must verify their login with a second factor (sms code, email link, etc.).
- Prerequisites
-
In order to use MFA, you must have the following features enabled and configured on your account:
SMS
Passwordless
SSO
See the MFA methods in the Core SDK or the MFA endpoints in our Identity API for more information on using the MFA flow. |
Step-up authentication
Step-up authentication is a little different than traditional MFA, but it offers a balance between unnecessary friction in the user experience and enhanced security when accessing sensitive information.
You must have MFA enabled on your ReachFive Console to use Step-up authentication. |
There are two subsections here:
Step-up authentication is best used for specific actions such as:
-
Paying with a credit card
-
Changing personal account details
-
Adding authentication information
-
Logging in from a new device or location
These are just examples and don’t represent all possible times you might use Step-up authentication.
MFA flow with Step-up authentication
When a user is already logged in, but they want to access something secure or perform a sensitive action (like purchasing a product), you can configure the Step-up authentication flow. See the accompanying MFA flow table to follow along with the flowchart.
The flow below assumes the user has already signed up to your site. |
Step | Core JS SDK method | API operation | Notes | ||
---|---|---|---|---|---|
1 |
User logs into the site.
|
||||
2 |
User browses the site; visits a product page. |
||||
3 |
Ensures the user has MFA credentials and has completed the registration process.
|
||||
4 |
Registers the user’s phone number for use as an MFA credential (second factor).
|
||||
5 |
Verifies the user’s phone number for use as an MFA credential (second factor).
|
||||
6 |
Initiates the stepup flow. |
||||
7 |
Starts the passwordless flow for MFA using the |
||||
8 |
Verifies the passwordless flow for MFA with the user verification code and |
||||
9 |
Exchanges the authorization code for a new access token. |
||||
10 |
Confirms
|
||||
11 |
Product purchased. |
Using the stepup
endpoint
When you use the stepup
endpoint to initiate the stepup flow, you can start the flow in one of three ways.
See the table below for accompanying details to the flowchart. |
Approach | Description | ||||
---|---|---|---|---|---|
SSO session cookie Recommended |
Using a current, active SSO cookie initiates the With the SSO session cookie, the cookie is deposited by the SDK into the browser. This way, it can’t be leaked or used on another domain.
|
||||
Recommended |
Passing a valid |
||||
|
Passing the
|
Configure MFA SMS template
You can configure the SMS template that users receive when wanting to use MFA for both activation and the step-up process.
The MFA feature must be enabled on your ReachFive Console. Contact support if you would like the MFA feature. |
Instructions
-
Log in to your ReachFive Console.
-
Go to
.Where <Type>
isActivation
orStep-up
. -
Enter the Verification Code Lifetime.
This specifies the validity period for the code in seconds. -
Enter your Message.
Currently, the following variables are available using liquid: Variable Description {{verification_code}}
This is the generated verification code sent by the SMS. In other words, this is how long the user has to use the code.
Users enter this code as part of the MFA or Step-up authentication flow. {{user.phone_number}}
The user’s email address.
{{user.given_name}}
The user’s given name (first name).
exampleNicole Dubois
{{user.family_name}}
The user’s family name (last name, surname).
exampleNicole Dubois
-
Don’t forget to Save your input.
Configure MFA Email template
You can configure an Email template that users receive when wanting to use MFA for both activation and the step-up process.
This will not be sent to verified emails. |
The MFA feature must be enabled on your ReachFive Console. Contact support if you would like the MFA feature. |
Instructions
-
Log in to your ReachFive Console.
-
Go to
.Where <Type>
isActivation
orStep-up
. -
Enter the sender email in the From field.
-
Enter your Subject.
You can use Liquid variables here. -
Enter the Redirect to URL. This is where users are sent after clicking the magic link.
-
Enter how long you want (in seconds) the link be valid in the Link Lifetime field.
-
Enter your Message.
You can use Liquid variables here. -
Optionally, toggle the HTML? slider if you want the email to be sent in
HTML
. -
Don’t forget to Save your input.
Liquid variables
The following variables are available using liquid.
Variable | Description | ||
---|---|---|---|
|
This is the generated verification code sent by the SMS. In other words, this is how long the user has to use the code.
|
||
|
This is the magic link sent in the email to verify their email address.
|
||
|
The user’s language. |
||
|
The user’s email address. |
||
|
The user’s given name (first name). example
Nicole Dubois |
||
|
The user’s family name (last name, surname). example
Nicole Dubois |
MFA user experience
By enabling MFA with ReachFive on your site, you can provide a secure, frictionless user experience.
A typical user journey is when Step-up authentication is configured so that MFA is only required during sensitive actions like making a purchase or changing personal details, similar to the video below.
Configure the SMS template that is sent to users in this experience on the ReachFive Console. |