Multi-factor Authentication

Multi-factor Authentication (MFA) is an authentication method that requires users to provide two or more verification factors to gain access to a resource. Enabling MFA on your site with ReachFive ensures your users must verify their login with a second factor (sms code, email link, etc.).


In order to use MFA, you must have the following features enabled and configured on your account:

See the MFA methods in the Core SDK or the MFA endpoints in our Identity API for more information on using the MFA flow.
Why use MFA and Step-up authentication?

One of the best benefits of MFA with ReachFive is that it improves your organization’s security by requiring users to identify themselves with more than just a username and password when logging into their account or accessing specific resources. Traditional credentials are great, but they can be vulnerable to brute force attacks. When you enable MFA on your ReachFive account, it ensures your users that their experience is secure while extensively reducing the chances of their private information being stolen.

Step-up authentication

Step-up authentication is a little different than traditional MFA, but it offers a balance between unnecessary friction in the user experience and enhanced security when accessing sensitive information. See the Step-up authentication flow for details on how Step-up authentication works with ReachFive.

You must have MFA enabled on your ReachFive Console to use Step-up authentication.

Step-up authentication is best used for specific actions such as:

  • Paying with a credit card

  • Changing personal account details

  • Adding authentication information

  • Signing in from a new device or location

These are just examples and don’t represent all possible times you might use Step-up authentication.

Step-up authentication flow

When a user is already logged in, but they want to access something secure or perform a sensitive action (like purchasing a product), you can configure the Step-up authentication flow. See the accompanying MFA flow table to follow along with the flowchart.

A user must have already signed up and registered and verified their number for MFA for the below flow to be successful.
MFA Flow table
Step Core JS SDK method API operation Notes



User logs in

User logs into the site.

The user can log in other ways than just using a password of course. See the other options in the Core SDK method list.


User browses the site; visits a product page.



List MFA credentials

Ensures the user has MFA credentials and has completed the registration process.



Initiate stepup flow

Initiates the stepup flow.



Start Passwordless MFA

Starts the passwordless flow for MFA using the step_up token received in the stepup flow initiation.



Verify Passwordless MFA

Verifies the passwordless flow for MFA with the user verification code and challenge_id.


Introspect token

Confirms "mfa" is part of the user’s "amr" array.

    "amr": [

Configure MFA SMS template

You can configure the SMS template that users receive when authenticating via MFA.

The MFA feature must be enabled on your ReachFive Console. Contact support if you would like the MFA feature.


  1. Log in to your ReachFive Console.

  2. Go to MFA  Sms templates.

  3. Enter the Verification Code Lifetime.

    This specifies the validity period for the code in seconds.
  4. Enter your Message.

    Currently, the following variables are available using liquid:
    Variable Description


    This is the generated verification code sent by the SMS. In other words, this is how long the user has to use the code.

    Users enter this code as part of the MFA or Step-up authentication flow.


    The user’s email address.


    The user’s given name (first name).


    Nicole Dubois


    The user’s family name (last name, surname).


    Nicole Dubois

  5. Don’t forget to Save your input.

MFA user experience

By enabling MFA with ReachFive on your site, you can provide a secure, frictionless user experience.

A typical user journey is when Step-up authentication is configured so that MFA is only required during sensitive actions like making a purchase or changing personal details, similar to the video below.

Configure the SMS template that is sent to users in this experience on the ReachFive Console.