2 mins read

Multi-Factor Authentication (MFA)

TWO-Factor Authentication (2FA) can be used to protect client applications, access scopes in services, and access to the Cloudentity platform itself.

Multi-Factor Authentication Enforcement Points

Organizations may require Multi-Factor Authentication:

Restricting Access to Client Applications by Using MFA

After the user enters the username and password, they are prompted to select an additional verification method: e-mail or SMS. The methods are available depending on what data the user has added and enabled for MFA on the identity provider (IDP) side. After selecting the email verification, for example, a one-time-password (OTP) code is sent to the user via mail. After providing the code, it’s verified and, either allows the access or denies it, depending on the outcome of the verification. If the whole process succeeds, the client app can proceed to getting consent and requesting an access token. This process is outlined in the diagram below:

sequenceDiagram participant User participant Cloudentity participant Client app User->>Client app: Login request Client app->>Cloudentity: Redirect Cloudentity->>User: Request credentials via IDP User->>Cloudentity: Provide credentials via IDP Cloudentity-->>Cloudentity: Check MFA requirements Cloudentity->>User: Send MFA challenge (E-mail/text) User->>Cloudentity: Send MFA challenge response (OTP code) Cloudentity-->>Cloudentity: Verify MFA response Cloudentity->>User: Ask for consent User->>Cloudentity: Respond with consent grant Cloudentity-->>Cloudentity: Verify consent Cloudentity->>Client app: Grant authorization

Learn how

After the user enters their username and password (and possibly completes the authentication MFA), the consent screen gets displayed with the scopes requested by the client application. When MFA protection is enabled for the selected scopes, additional actions are required. The user needs to select the MFA method and enter OTP provided by them via mail or SMS. As soon as the verification code is provided and its verification is successful, the scope becomes available for granting.

Learn how

Enforcing MFA for Cloudentity Platform

Organizations may require multi-factor authentication from the administrator user while logging into the Cloudentity platform.

Learn how

One Time Passwords (OTPs)/Verification Codes for MFA

MFA supported in Cloudentity uses the combination of the knowledge factor (username and password), or passkey, and the possession factor (One Time Password (OTP) also called verification code).

OTPs used for an additional verification of the user’s identity can be handled in Cloudentity in two ways:

  • OTP sent via SMS (supported by Twilio)
  • OTP sent via email (supported by any SMTP gateway)

The verification codes' length and lifetime is configurable.

Updated: Sep 8, 2023