Multi-Factor Authentication (MFA)
Alchemy Signer supports Time-based One-Time Passwords (TOTP) multi-factor authentication (MFA). This lets you prompt users to set up a TOTP authenticator (e.g. Google Authenticator) as an additional security factor.
Multi-factor authentication is currently supported when authenticating with Email OTP or Email Magic-link
Setting up Multi-Factor Authentication
- Prerequesit: Your user is already logged in with at least one authentication factor (e.g. email OTP, email magic-link).
1. Add a new TOTP factor
Once the user is authenticated, you can call addMfa
to enable TOTP. This returns factor details including an ID and setup information that your app can display to the user (e.g. a QR code or otpauth
link that the user can scan in Google Authenticator).
You can show the multiFactorTotpUrl
in your UI as a QR code or link for the user to add it to their authenticator app.
2. Verify the TOTP setup
Once the user has scanned the TOTP secret, have them enter the 6-digit code from their authenticator app. Then call verifyMfa
:
3. Remove a TOTP factor
If a user wants to disable TOTP, call removeMfa
with the multiFactorId
you want to remove:
4. Get a list of existing MFA factors
Authenticating Email OTP with multi-factor TOTP
Step 1: Send an OTP to user’s email
Step 2: Submit the email OTP code
Step 3: Submit the TOTP code (authenticator app code)
Authenticating Email magic-link with multi-factor TOTP
When calling authenticate
with emailMode="magicLink"
, you can catch a MfaRequiredError
. Then you can collect the TOTP code and resubmit.
Authenticating Social Login with multi-factor TOTP
When a user has MFA enabled using an authenticator app, the authentication process for social login is seamless. Unlike email authentication flows, you don’t need to handle the MFA challenge manually in your code.
The TOTP verification happens automatically during the OAuth callback flow:
- The user authenticates with the social provider (Google, Facebook, etc.)
- After successful provider authentication, they’re prompted for their TOTP code on the OAuth callback page
- Once verified, authentication completes normally
Simply use the standard social login authentication as shown in the Social Login Authentication guide: