Working With MFA


Frontegg comes with Multi-Factor Authentication (MFA) enabled and ready to go. Users can implement MFA using their mobile phone and any of the standard authentication apps on the market. By enforcing two different types of verifications, you can drastically improve user security.


Coming Soon

In addition to mobile authentication apps, Frontegg will soon support other MFA options, like SMS, email, QR code-based and others.


Authenticator Apps

Users can implement MFA with any of the standard authentication apps on the market. They can use Google Authenticator, Authy, LastPass Authenticator, or MS Authenticator. These applications make it easy to manage authentication and provide stronger authentication than SMS or email tokens.

When users onboard the MFA application to their preferred authenticator app, the authenticator app shows the user your application's service name along with the corresponding authentication code they need to login.

By default, MFA is optional for users, not required. This empowers users to decide how many factors their account requires for authentication.

Read below to learn how to force users to use MFA.

Configure MFA


Global Forced MFA

When configuring MFA, decide whether to force all users to authenticate with MFA regardless of which tenant they belong to. This is called Global Forced MFA. Read below to learn more.

Read below to learn more about how to configure MFA in your Frontegg Portal Settings.

Go to Authentication ➜ Settings ➜ Multi-Factor Authentication.

Service Name

Your portal comes with a default service name for your portal. You can change it by entering a new name and clicking save.

Your users need the service name when setting up their MFA authenticator app. The authenticator apps will then give your users a verification code they need for login based on your service name.

Remember MFA Devices

Set whether users can allow their trusted devices to remember their MFA. If you allow devices to remember MFA, the user can bypass the MFA step for a set number of days.

Go to Authentication ➜ Settings ➜ Multi-Factor Authentication.

Find the switch for remember MFA devices and toggle it to on. Then, enter the number of days that a device can remember MFA.

If you enable this feature, users will see a checkbox in the Frontegg Portal during the MFA login process where they can mark the device as trusted.

Global Forced MFA

You can require that all users log in using MFA. By default, using MFA is optional. This means that a user can implement MFA for their account; however, they do not have to.

Instead of leaving it for a user to decide, you can force all users to use MFA.

Go to Authentication ➜ Settings ➜ Multi-Factor Authentication.

Choose the radio button for either Don't Force, Force, or Force except SAML.

  • Don't Force means that users do not need to configure MFA, but they can if they want.

  • Force means that every user has to use MFA.

  • Force except SAML means every user has to use MFA except those using external identity providers to log in. Identity providers have their own methods of verifying user identities. Therefore, forcing MFA on them is somewhat redundant.


Strict Configuration

A tenant can set its own MFA policy. In the event of a conflict MFA policies, Frontegg always enforces the stricter configuration.

For instance, if global forced MFA is enabled and set to Force or Force except SAML but a tenant does not require MFA, a user is nonetheless required to use MFA.

Forget MFA

If a user with MFA activated loses their ability to authenticate, for instance, by losing or replacing their phone without keeping the recovery code, you can unenroll a user from MFA.

To unenroll a user from MFA, Go to Manage ➜ Users.

Find the user for which you want to unenroll from MFA. Right click on that user, and choose Unenroll MFA.

Did this page help you?