Multi-factor authentication [MFA]

When a user logs into an app, they need to authenticate themselves. That's a given. But requiring just one factor of authentication can be risky. If someone else gets their hands on a password, they have access to that account.

Multi-factor authentication (MFA) requires users to use 2 factors of authentication to gain access to a resource, such as an application or online account. In other words, if someone steals your password, the second factor of authentication will stop that password thief from entering your account.

MFA requires 2 of the following 3 kinds of factors:

  1. Something you know (like a password)
  2. Something you have (like a phone)
  3. Something you are (like a fingerprint)

Frontegg provides Multi-factor Authentication (MFA) ready-to-go. As a default, MFA is not forced, meaning your users aren't forced to set up MFA when creating their account.

In order to change the MFA requirement, go to Builder > App settings > MFA.


MFA requirements

  1. Don't force - this requirement means that MFA is optional. If you allow this option and use our admin portal product, you enable your users to choose their own MFA requirements.


MFA in the Admin Portal

Implement the admin portal to give your users the ability to implement MFA on their own account and which MFA requirement they would like to set for themselves.

  1. Force - all users will be forced to authenticate with MFA. When they create their account, they will be required to set up an MFA method. Your users will not be able to override this decision.

  2. Force except enterprise SSO - all users will be forced to authenticate with MFA except for users who log in with enterprise SSO (SAML and OIDC using external identity providers). Identity providers have their own methods of verifying user identities. Therefore, forcing MFA on them is somewhat redundant.


Multitenancy approach to MFA

If a user belongs to multiple tenants (multiple customers of yours) and only one of them forces MFA, it's as if all tenants force it and the user will always have to do MFA. In other words, Frontegg takes the strictest rule.

MFA Methods

In the builder, you have a choice about which methods you want to allow your users to authenticate with for MFA. Frontegg offers 3 MFA methods: Authenticator Apps, SMS, and WebAuthN

Authenticator Apps

Users can implement MFA with any of the standard authenticator apps on the market like Google Authenticator, Authy, LastPass Authenticator, MS Authenticator, or Duo. These applications make it easy to manage authentication and provide stronger authentication than other authentication methods like SMS.


Users can choose to use SMS as their second factor of authentication. This method involves entering a phone number, getting an SMS with a code, and entering the code to authenticate.


WebAuthN is a newer protocol for authenticating users to web-based applications and services using public-key cryptography. It includes platform authenticators like a fingerprint reader or roaming authenticators like Ubikeys or Android phones.


Remember MFA devices

  1. Allow users to remember MFA on their device (they can tick the checkbox and decide if they want to remember a device).
  2. Decide for how long the MFA will be remembered on the device

Authenticator app name

You can change the displayed name in the authenticator app. This name will be presented to all users when they use the Authenticator app as a second authentication factor.

Managing MFA for users on the Frontegg portal

In addition to settings the defaults for MFA in App Settings, you can also control the MFA requirements for individual accounts within the Frontegg portal for any environment and in the back-office. Learn how in the guide for managing customer accounts.


Vendor MFA vs User MFA - Strict Configuration

In addition to vendor MFA policy and the user MFA policy, a tenant can set its own MFA policy as long as it is stricter.

Forget MFA

When a user sets up MFA for the first time, they'll receive a recovery code. This code will allow them to temporarily unenroll from MFA for their next login. They can enter it on any MFA screen.

If a user can't complete MFA and has forgotten their recovery code, you can unenroll a user from MFA by going to the relevant Environment or Backoffice, navigating to Users, clicking the three dots next to the relevant user, and unenrolling them.