Getting Started with Multi-factor Auth
Getting Started with Multi-factor Auth
Try Magic MFA yourself by creating a test account with this live demo!
#What is multi-factor authentication (MFA)?
Multi-factor authentication is a common technique used to add an additional layer of security to an account. This means a secondary factor is validated along with the existing primary factor in order to login to an account. Typically, the primary factor is an email and the secondary factor is a phone number or mobile device authenticator. The idea is that both factors must be compromised in order for an account to be breached. There are many forms of both primary and secondary factors.
Magic currently offers end-user MFA through mobile authenticator apps like Authy or Google Authenticator. This is currently supported for email and SMS primary factors. WebAuthn and social login primary factors will be supported in the future.
#Benefits of MFA
The most obvious benefit of MFA is increased security. Magic MFA increases your users security by requiring an additional proof of ownership to an account. If a bad actor has found a way to compromise a user’s primary email or SMS, Magic MFA provides a second layer of protection to prevent an account compromise. Enabling MFA can also help you meet regulatory requirements. If your users must meet HIPAA, PCI, or CJIS compliance standards, then MFA should be enabled for their use cases.
This does come with some drawbacks, specifically a lengthier sign-in process for end-users. Requiring MFA during initial registration can also decrease user conversion rates by increasing friction. A common way to mitigate this is by nudging users to enable MFA after their initial registration is complete. Magic was developed to give you maximum flexibility for when you want to enroll your users into MFA. You can nudge them to enroll at the end of user registration or when they have hit a milestone on their user journey.
#Implementing MFA
#Compatibility
Multi-factor auth is currently compatible with end-user accounts created via email magic link or SMS login.
#Unlocking MFA
Multi-factor auth is a premium feature available to all customers for an additional monthly charge. To unlock MFA for your workspace, please activate Dedicated Wallet Pro within your developer dashboard.
#Pre-requisites
- Client-side SDK
- Feature unlocked by subscribing to Dedicated Wallet Pro
- Feature enabled through Multi-factor Auth Dashboard page
#Add MFA to your app
You can add MFA to your app either by using Magic's plug and play settings panel or by calling the SDK method magicClient.user.showSettings() which will bring up the settings modal. The settings view will let users self-service both enabling and disabling MFA.
Calling the SDK method magicClient.user.getMetadata() will return whether the user has MFA enabled or not. This can be used to progressively introduce MFA to users via a banner reminding them to enable it or similar.
#Disabling MFA for your app
Simply remove any settings implementation for Magic SDK or Login Form. Existing users with MFA enabled will still be able to use their second factor to login.
#End-user account recovery
#MFA recovery codes
When registering for MFA, end-users are given one-time use recovery codes. If an end-user loses access to their MFA, they can use their one-time recovery code to self-service recover their account.
Using the recovery code will authenticate the user and deactivate MFA in the process for the given device. The user will be given a new recovery code after they complete MFA enrollment.
#Admin reset
If a user loses their recovery code, you can reset their MFA via the Users section in the Magic dashboard. Simply search for the user, and use the action menu on the right side to disable MFA. You will be asked to confirm the user again before MFA will be disabled.
#Coming soon
- WebAuthn support
- Feedback or questions? Join us on Discord