Setting Up Multi-Factor Authentication
With Account Kit, multi-factor authentication (MFA) uses authenticator apps—like Google Authenticator, Authy, or Microsoft Authenticator—to generate a Time-based One-Time Password (TOTP).
By requiring both a user’s primary login (e.g., email OTP, magic link, or social login) and a TOTP from their authenticator app, your application gains an extra layer of security.
Multi-factor authentication requires a primary authentication method (Email OTP, Email Magic Link, or Social Login) to be already set up. See the React Quickstart guide to set up your primary authentication method first.
Prerequisites
Before implementing MFA, you need to have:
- Set up primary authentication - MFA requires a primary authentication method to be already set up. Follow the React Quickstart guide to configure email (OTP or magic link) or social login.
- Working authentication flow - Ensure users can successfully sign in with your primary authentication method.
Implementation
To implement authenticator app verification in your React application, you’ll use the useMFA
hook from Account Kit.
Step 1: Checking if Multi-Factor Authentication is Available
First, check if the user is logged in and able to edit their MFA settings:
Step 2: Setting Up an Authenticator App
In this step, we receive a QR code URL from the backend and display it to the user. This URL contains a TOTP seed and necessary metadata. When displayed as a QR code, it can be scanned by most authenticator apps (Google Authenticator, Authy, 1Password, etc.) to set up 6-digit time-based codes. The backend also provides a unique multiFactorId which we’ll need to store for the verification step.
This QR code contains the information needed for apps like Google Authenticator or Authy. Once scanned, the app will generate 6-digit codes that users can use as their second verification step.
Step 3: Confirming the Authenticator App Setup
After the user scans the QR code, they need to prove it worked by entering a code:
Step 4: Managing Authenticator Apps
You can retrieve and remove authenticator app–based MFA from a user’s account by using the useMFA
hook. Each verification method (also called a “factor”) is identified by a unique multiFactorId
. For example, a TOTP-based authenticator app is one factor.
Next Steps
After setting up an authenticator app, users will need to provide both their primary authentication method and a 6-digit code when signing in:
Using Pre-built UI Components
If you’re using the pre-built UI components, the MFA verification process is handled automatically:
- The authentication flow will detect when a user has MFA enabled
- Users will be prompted for their authenticator app code after providing their primary credentials
- No additional code is required from you
Using Custom UI with Hooks
If you’re implementing custom UI with hooks, you’ll need to update your authentication code to handle the MFA verification step:
- Email OTP with Multi-Factor Authentication - See how to implement the two-step verification
- Email Magic Link with Multi-Factor Authentication - Learn how to handle magic links with MFA
- Social Login with Multi-Factor Authentication - Social login with MFA is handled in the OAuth callback
For custom UI implementations, make sure your authentication logic checks for the MFA requirement and provides UI for users to enter their authenticator app code.