Enable multi-factor authentication (beta)
BETA FEATURE: We’re still working on this, but you can request early access and help us make it better.
To increase security for your product, you can enable multi-factor authentication (MFA). This means that your users must sign in using at least two authentication methods, for example, password sign in plus verification code.
Additional authentication options
- Email authentication - users are sent a verification code via email. Note: You would not usually choose this as the additional auth option if your users authenticate passwordless.
- Authenticator app - users receive a verification code via an authentication app.
To set up MFA
- In Kinde, go to Settings, then choose Multi-factor auth.
- In the Require multi-factor authentication section, select Yes.
- Select the additional authentication options that you want to be available to your users.
- Select Save. Users will now be directed to use multi-factor authentication when they sign in.
How MFA changes the sign up and sign in experience
Once you set up MFA, when a user signs in they will be prompted to use (or choose) a secondary authentication method, through which they will receive a verification code. They will also be offered a set of recovery codes.
We suggest you advise users ahead of time if you are changing your sign in requirements, and if you require them to download an authenticator app such as Google Authenticator.
If using an authenticator app
- On first time use, the user can scan a QR code to enable the verification method and get a verification code sent to their app of choice.
- On subsequent sign in, a verification code will appear in their authenticator app of choice, or they can use a recovery code to sign in.
If using email verification
- A code is sent to their email that they need to enter into the verification code field on sign up and sign in.
- When a user signs in for the first time, or signs up as a new user, they will be offered a set of recovery codes that they can store for future use. They can then use a recovery code if they don’t have access to their authenticator app.