Working With MFA


Frontegg comes with Multi-Factor Authentication (MFA) enabled and ready to go. Users can implement MFA using their mobile phone and any of the standard authentication apps on the market.

As a vendor, you can force all users to implement MFA or you can

By enforcing two different types of verifications, you can drastically improve user security.



Coming Soon

In addition to mobile authentication apps, Frontegg will soon support other MFA options, like SMS, email, QR code-based and others.


Authenticator Apps

Users can implement MFA with any of the standard authentication apps on the market. They can use Google Authenticator, Authy, LastPass Authenticator, or MS Authenticator. These applications make it easy to manage authentication and provide stronger authentication than SMS or email tokens.

When users onboard the MFA application to their preferred authenticator app, the authenticator app shows the user your application's service name along with the corresponding authentication code they need to login.

By default, MFA is optional for users, not required. This empowers users to decide how many factors their account requires for authentication.

Read below to learn how to force users to use MFA.

Global MFA

You can require that all users implement MFA.

By default, using MFA is optional. This means that a user can implement MFA for their account; however, they do not have to.

Instead of leaving it for a user to decide, you can force all users to use MFA.

Go to Home ➜ Builder ➜ Security.

Turn on MFA.


Click the gear icon to configure it.

Choose the radio button for either Don't Force, Force, or Force except SAML.

  • Don't Force means that users do not need to configure MFA, but they can if they want.

  • Force means that every user has to use MFA.

  • Force except SAML means every user has to use MFA except those using external identity providers to log in. Identity providers have their own methods of verifying user identities. Therefore, forcing MFA on them is somewhat redundant.

Customer MFA

Instead of forcing all users to use MFA, you can force it based on accounts.

Learn how in the guide for managing customer accounts.

User MFA

Whether a user requires MFA depends upon which accounts they belong to.


Strict Configuration

In addition to the global vs customer distinction, a tenant can set its own MFA policy. In the event of a conflict MFA policies, Frontegg always enforces the stricter configuration.

For instance, if global forced MFA is enabled and set to Force or Force except SAML but a tenant does not require MFA, a user is nonetheless required to use MFA.

Configuration Settings

When forcing MFA, you can configure additional settings to customize the MFA experience. Read below to learn more about the additional settings.

Service Name

Your portal comes with a default service name for your portal. You can change it by entering a new name and clicking save.

Your users need the service name when setting up their MFA authenticator app. The authenticator apps will then give your users a verification code they need for login based on your service name.

Remember MFA Devices

Set whether users can allow their trusted devices to remember their MFA. If you allow devices to remember MFA, the user can bypass the MFA step for a set number of days.

Go to Authentication ➜ Settings ➜ Multi-Factor Authentication.

Find the switch for remember MFA devices and toggle it to on. Then, enter the number of days that a device can remember MFA.

If you enable this feature, users will see a checkbox in the Frontegg Portal during the MFA login process where they can mark the device as trusted.


Forget MFA

If a user with MFA activated loses their ability to authenticate, for instance, by losing or replacing their phone without keeping the recovery code, you can unenroll a user from MFA.

To unenroll a user from MFA, Go to Manage ➜ Users.

Find the user for which you want to unenroll from MFA. Right click on that user, and choose Unenroll MFA.

Did this page help you?