Skip to Content
GuidesSecurityMulti-Factor Authentication

Multi-Factor Authentication (MFA)

Multi-factor authentication requires users to provide a second form of verification in addition to their primary credentials. Auris supports four MFA mechanisms — TOTP authenticator apps, SMS one-time passwords, WebAuthn hardware keys and passkeys, and adaptive risk-based MFA that triggers additional factors automatically based on detected risk — that can be combined according to your security policy.


TOTP (Authenticator App)

Time-Based One-Time Password (TOTP) is the most widely supported MFA mechanism. Users scan a QR code with an authenticator app — such as Google Authenticator, Authy, 1Password, or any RFC 6238-compliant application — and enter the six-digit code it generates.

How it works

TOTP codes are derived from a shared secret and the current time. The server and the authenticator app independently compute the same code for each 30-second window. No network connection is required on the user’s device.

User setup

The TOTP enrollment flow:

  1. The user navigates to Account → Security → Two-Factor Authentication.
  2. A QR code and manual entry key are displayed.
  3. The user scans the QR code with their authenticator app.
  4. The user enters the initial six-digit code to confirm setup.
  5. Recovery codes are generated and displayed. The user must save these — they cannot be retrieved later.

Recovery codes

Each TOTP setup generates 10 single-use recovery codes. If a user loses access to their authenticator device, they can enter a recovery code to bypass MFA and log in. After use, a recovery code is invalidated. Users can generate a new set of recovery codes from their account security page — doing so invalidates all previous codes.

Admin actions

Admins can reset a user’s TOTP enrollment via the Console (User detail → Security → Reset TOTP). This removes the existing TOTP configuration and forces the user to re-enroll on next login. Use this when a user reports a lost or replaced device.

POST/api/user/2fa/totp/enable

Initiates TOTP enrollment for the authenticated user. Returns the TOTP secret and QR code data URI.

POST/api/user/2fa/totp/verify

Confirms enrollment by verifying the initial TOTP code. Generates and returns recovery codes.

DELETE/api/user/2fa/totp

Removes the user’s TOTP enrollment. Requires the current TOTP code or a recovery code for confirmation.


SMS OTP

SMS one-time passwords deliver a verification code to the user’s registered mobile phone number via SMS. Auris uses Twilio as the SMS provider.

Requirements

SMS OTP requires:

  • A Twilio account with a phone number capable of sending SMS.
  • TWILIO_ACCOUNT_SID, TWILIO_AUTH_TOKEN, and TWILIO_FROM_NUMBER environment variables configured in the Auris API.

For a complete SMS OTP setup guide including Twilio configuration, see SMS OTP Authentication.

User setup

  1. The user navigates to Account → Security → Phone Number.
  2. The user enters their mobile number in E.164 format (e.g., +39 02 1234 5678).
  3. Auris sends a verification code via SMS.
  4. The user enters the code to confirm phone ownership.
  5. The phone number is verified and can be used for SMS OTP MFA.

Rate limits

To prevent abuse, Auris enforces rate limits on SMS OTP codes:

  • Maximum 5 codes sent per phone number per hour.
  • A 30-second cooldown between send requests.
  • Maximum 5 verification attempts per code before it is invalidated.
POST/api/user/phone

Sets the user’s phone number and sends a verification code.

POST/api/user/phone/verify

Verifies the phone number with the code received by SMS.

POST/api/user/2fa/sms/enable

Enables SMS OTP as a second factor after the phone number is verified.

POST/api/user/2fa/sms/send

Sends a new SMS OTP code during an MFA challenge.


WebAuthn / Passkeys

WebAuthn (Web Authentication, FIDO2) allows users to authenticate using hardware security keys (YubiKey, Titan Key) or platform authenticators (Touch ID, Face ID, Windows Hello). When used as a second factor, the user taps their hardware key or uses biometrics to complete the MFA challenge.

WebAuthn credentials are phishing-resistant by design: the credential is bound to the specific origin (domain) and cannot be replayed on a different site.

For a complete WebAuthn setup guide, see WebAuthn / Passkeys.

User setup

  1. The user navigates to Account → Security → Passkeys.
  2. The user clicks “Register Passkey” and provides a name for the credential.
  3. The browser presents a platform authenticator prompt (Touch ID, Windows Hello, or a hardware key).
  4. The credential is registered. The user can register multiple passkeys for different devices.

During MFA challenge

When WebAuthn MFA is required, the Hosted Login page presents a WebAuthn challenge. The user’s registered authenticator handles the cryptographic response — no code entry is needed.

POST/api/user/2fa/webauthn/enable

Initiates WebAuthn registration as a second factor. Returns the registration challenge.

POST/api/user/2fa/webauthn/challenge

Generates an authentication challenge for an in-progress MFA verification.

DELETE/api/user/2fa/webauthn

Removes a registered WebAuthn credential by credential ID.


Adaptive MFA (Risk-Based)

Adaptive MFA evaluates a risk score on every login and automatically escalates the authentication requirement when risk is elevated. Rather than always requiring MFA or never requiring it, Auris responds proportionally to the actual risk of each login attempt.

Risk factors

Auris computes a risk score from five weighted factors:

FactorDescriptionExample trigger
IP reputationIP address associated with known malicious activity, VPN, proxy, or datacenterLogin from a Tor exit node
Device trustUnknown device fingerprint (no previous successful login from this device)First login from a new laptop
Geographic anomalyImpossible travel — the distance between the previous login location and the current one implies faster-than-possible movementLogin from Italy followed 30 minutes later by a login from Japan
Behavioral patternsLogin time, request cadence, and other behavioral signals that deviate from the user’s baselineLogin at 3:00 AM when the user always logs in during business hours
Action sensitivityHigher-sensitivity operations (e.g., changing email, generating API keys) are scored more strictly than read-only accessUser attempting to change their password immediately after login

Factors are combined into a final risk score from 0 to 100.

Risk thresholds

Configure thresholds in Console → Security → Adaptive MFA:

ThresholdBehavior
Low (0–30)No additional authentication required. Standard login proceeds.
Medium (31–70)Prompt for any configured MFA method (TOTP, SMS, or WebAuthn).
High (71–100)Require a stronger MFA method. TOTP only is insufficient — hardware WebAuthn is preferred.

These thresholds are configurable. You can also disable adaptive MFA entirely and use a fixed policy.

ACR and AMR in tokens

When step-up authentication occurs, Auris includes standard claims in the access token:

  • ACR (Authentication Context Class Reference): The level of assurance achieved. For example, urn:mace:incommon:iap:silver for MFA-verified sessions.
  • AMR (Authentication Methods References): The authentication methods used. For example, ["pwd", "totp"] for password + TOTP, or ["pwd", "hwk"] for password + hardware key.

Your application server can inspect these claims to enforce session-level access control.


Step-Up Authentication

Step-up authentication allows your application to require additional verification for specific operations within an existing session, without forcing a full re-login.

For example, a user is logged in and navigates to “Delete Account”. Your application can trigger a step-up challenge requiring the user to re-authenticate (enter their password) or complete an MFA factor before the destructive action proceeds.

Auris implements step-up via ACR in the authorization request. When your application requests an authorization code with acr_values=2fa, Auris checks the current session’s ACR level and only prompts for additional authentication if the session does not already meet the requirement.

Step-up authentication relies on the session’s AMR claims. A session authenticated with TOTP (amr: ["pwd", "totp"]) will not be asked for TOTP again during the validity of the same session unless the ACR requirement specifies a method not already present.


Console Configuration

MFA settings are available in Console → Authentication → MFA Settings.

Per-method toggles:

MethodToggleNotes
TOTPEnable/DisableEnable to allow users to enroll authenticator apps
SMS OTPEnable/DisableRequires Twilio to be configured in environment variables
WebAuthnEnable/DisableRequires HTTPS (passkeys do not work over plain HTTP)
Adaptive MFAEnable/DisableWhen disabled, the static policy applies to all users

Enforcement policies:

PolicyMeaning
optionalUsers may set up MFA but are not required to
requiredAll users must enroll at least one MFA method to complete login
adaptiveMFA is required only when the risk score exceeds the configured threshold

Risk thresholds: Configurable sliders for the Low/Medium/High boundaries and per-factor weights.


Required Permissions

All MFA management endpoints operate on the authenticated user’s own account and require no special permission beyond authentication. Admin-level operations (resetting another user’s TOTP, viewing MFA status) require manage:users.