This feature requires a subscription to our Dedicated Pro Bundle
Multi-factor authentication is a common technique used to add an additional layer of security to an account. This means a secondary factor is validated along with the existing primary factor in order to login to an account. Typically, the primary factor is an email and the secondary factor is a phone number or mobile device authenticator. The idea is that both factors must be compromised in order for an account to be breached. There are many forms of both primary and secondary factors.
Magic currently offers end-user MFA through mobile authenticator apps like Authy or Google Authenticator. This is currently supported for email, SMS, and social login primary factors. WebAuthn will be supported in the future.
Multi-factor auth is currently compatible with end-user accounts created via email magic link or SMS login.
Multi-factor auth SDK methods are available via the following client-side SDKs:
The most obvious benefit of MFA is increased security. Magic MFA increases your users security by requiring an additional proof of ownership to an account. If a bad actor has found a way to compromise a user’s primary email or SMS, Magic MFA provides a second layer of protection to prevent an account compromise. Enabling MFA can also help you meet regulatory requirements. If your users must meet HIPAA, PCI, or CJIS compliance standards, then MFA should be enabled for their use cases.
This does come with some drawbacks, specifically a lengthier sign-in process for end-users. Requiring MFA during initial registration can also decrease user conversion rates by increasing friction. A common way to mitigate this is by nudging users to enable MFA after their initial registration is complete. Magic was developed to give you maximum flexibility for when you want to enroll your users into MFA. You can nudge them to enroll at the end of user registration or when they have hit a milestone on their user journey.
Multi-factor auth is a premium feature available to all customers for an additional monthly charge. To unlock MFA for your workspace, please activate Dedicated Wallet Pro within your developer dashboard.
- Client-side SDK
- Feature unlocked by subscribing to Dedicated Wallet Pro
- Feature enabled through Multi-factor Auth Dashboard page
You can add MFA to your app by calling the SDK method
magic.user.showSettings() which will bring up the settings modal. The settings view will let users self-service both enabling and disabling MFA.
Calling the SDK method
magic.user.getInfo() will return whether the user has MFA enabled or not. This can be used to progressively introduce MFA to users via a banner reminding them to enable it or similar.
Simply remove any settings implementation for Magic SDK or Login Form. Existing users with MFA enabled will still be able to use their second factor to login.
When registering for MFA, end-users are given one-time use recovery codes. If an end-user loses access to their MFA, they can use their one-time recovery code to self-service recover their account.
Using the recovery code will authenticate the user and deactivate MFA in the process for the given device. The user will be given a new recovery code after they complete MFA enrollment.
If a user loses their recovery code, you can reset their MFA via the Users section in the Magic dashboard. Simply search for the user, and use the action menu on the right side to disable MFA. You will be asked to confirm the user again before MFA will be disabled.