Multi-Factor Authentication

Next-level security for your app

Unlock advanced authentication methods using authenticator apps (TOTP) and SMS passcodes.

Add MFA to your app

Read the docs

Enter your secure
passcode to continue

Verify Code

Your one-time passcode is:

845 725

Text message
Today at 12:23 PM

Your secure sign-in code is 845725

Your app. Your rules.
Secure by design.

Read the MFA Getting Started Guide

Multi-Factor Authentication

Your app’s architecture for advanced security

TOTP

Time-based One-Time Password supported

SMS

Phone number passcodes enabled

Frictionless integration. Compatible with your needs.

With a few API calls, you can integrate MFA into an existing application, regardless of the authentication layer or session management strategy.

Enroll, activate, and verify authentication factors

A composable, unopinionated set of endpoints that can be integrated into an existing application.

Read the docs

Get your API key


// Register an additional factor of authentication
// such as Time-based One Time Password (TOTP)

import WorkOS from '@workos-inc/node';

const workos = new WorkOS('sk_example_123456');

await workos.mfa.enrollFactor({
  type: 'totp',
  issuer: 'Foo Corp',
  user: 'alan.turing@foo-corp.com',
});


# Register an additional factor of authentication
# such as Time-based One Time Password (TOTP)

require 'workos'

WorkOS.key = 'sk_example_123456'

factor = WorkOS::MFA.enroll_factor(
  type: 'totp',
  totp_issuer: 'Foo Corp',
  totp_user: 'alan.turing@foo-corp.com',
)


# Register an additional factor of authentication
# such as Time-based One Time Password (TOTP)

import workos
from workos import client

workos.api_key = 'sk_example_123456'
workos.client_id = 'client_123456789'

response = workos.client.mfa.enroll_factor(
  type='totp',
  totp_issuer='Foo Corp',
  totp_user='alan.turing@foo-corp.com'
)


// Register an additional factor of authentication
// such as Time-based One Time Password (TOTP)

import "github.com/workos/workos-go/pkg/mfa"

mfa.SetAPIKey("sk_example_123456")

enroll, err := mfa.EnrollFactor(context.Background(), mfa.GetEnrollOpts{
  Type:       "totp",
  TotpIssuer: "Foo Corp",
  TotpUser:   "alan.turing@foo-corp.com",
})


// Register an additional factor of authentication
// such as Time-based One Time Password (TOTP)

$this->mfa = new WorkOS\MFA();

$type = "totp";
$totpIssuer = "Foo Corp";
$totpUser = "alan.turing@foo-corp.com";

$factor = $this->mfa->enrollFactor($type, $totpIssuer, $totpUser);


// Register an additional factor of authentication
// such as Time-based One Time Password (TOTP)

import com.workos.WorkOS;

WorkOS workos = new WorkOS("sk_example_123456");

EnrollFactorOptions options = MfaApi.EnrollFactorOptions.builder()
  .type("totp")
  .issuer("Foo Corp")
  .user("alan.turing@foo-corp.com")
  .build();

Factor factor = workos.mfa.enrollFactor(options);


// Register an additional factor of authentication
// such as Time-based One Time Password (TOTP)

WorkOS.SetApiKey("sk_example_123456");

var service = new MfaService();
var options = new EnrollTotpFactorOptions("Foo Corp", "alan.turing@foo-corp.com");
var response = await service.EnrollFactor(options);


curl --request POST \
  --url "https://api.workos.com/auth/factors/enroll" \
  --header "Authorization: Bearer sk_example_123456" \
  -d type="totp" \
  -d totp_issuer="Foo Corp" \
  -d totp_user="alan.turing@foo-corp.com"

Stay in control of the user journey
Choose between enforcing MFA for all users or making it an opt-in configuration.
Customizable templates
Tailor the SMS message delivered to your users to fit your app and brand.
Flexible authentication flows
Allow users to configure both TOTP and SMS verification using the same API interface.