Skip to main content

MFA Start Up

Multi-Factor Authentication (MFA) enhances security by requiring multiple authentication factors, such as passkeys and passwordless OTPs, to access an account. Combining passkeys with other authentication methods further reduces the risk of unauthorized access, even if one factor is compromised.

Prerequisites

  • Create an application to obtain a base URL. The SDK uses this base URL to interact with the LoginID authentication service.
  • Create an API key with at least the external-verify scope. You’ll need this to request authorization tokens from your backend.

Setup SDK

npm i @loginid/websdk3

Import and initialize an instance:

import { LoginIDMfa } from "@loginid/websdk3";

const lid = new LoginIDMfa({
  baseUrl: process.env.LOGINID_BASE_URL,
});

Starting an MFA session

To begin an MFA session, use the beginFlow method. This initializes the authentication process, stores session details locally, and prepares the user for multi-factor authentication.

const mfa = new LoginIDMfa(config);
const session = await mfa.beginFlow("user@example.com");

Once initiated, proceed with the performAction method to complete authentication using passkeys, OTPs, or external verification.

To check the status of the current MFA session, use getMfaSessionDetails:

const sessionDetails = mfa.getMfaSessionDetails();
console.log(sessionDetails);

This returns an object like:

{
  "username": "user@example.com",
  "flow": "signup",
  "remainingFactors": [
    {
      "description": "Authenticate through an external provider",
      "label": "External authentication",
      "type": "external"
    },
    {
      "description": "Authenticate with existing passkey",
      "type": "passkey:auth",
      "label": "Authenticate with passkey",
      "value": "...."
    }
  ],
  "nextAction": "passkey:auth",
  "isComplete": false
}

In this response:

  • remainingFactors lists all authentication factors that can still be completed.
  • nextAction suggests the recommended next factor to perform, but does not restrict which factor can be used.
  • isComplete indicates whether the MFA flow has finished.

Once the MFA session is successfully completed, an accessToken is returned, granting authenticated access.

{
  "username": "user@example.com",
  "flow": "signup",
  "remainingFactors": [],
  "isComplete": true,
  "accessToken": "eyJhbGciOiJFUz...FL-wI_Qkw6jNf758XC8w"
}