Enable multi-factor authentication

To increase security for your product, you can enable multi-factor authentication (MFA). This means that your users sign in using at least two authentication methods, for example, password sign in plus verification code.

You can make MFA mandatory for users, or optional.

• Email authentication - users are sent a verification code via email. Note: You would not usually choose this as the additional auth option if your users authenticate passwordless.
• Authenticator app - users receive a verification code via an authentication app.
• SMS - users receive a verification code via SMS.

1. In Kinde, go to Settings > Environment > Multi-factor auth.
2. To make MFA mandatory, in the Require multi-factor authentication section, select Yes. Users will be required to set up MFA when they first sign up or next sign in.
3. To make MFA optional, in the Require multi-factor authentication section, select Optional. Users will have the option to set up MFA when they first sign up or next sign in.
4. Select the additional authentication options that you want to be available to your users. Such as an authenticator app, email, or SMS.
5. Select Save. Users will now be directed to use multi-factor authentication when they sign in.

If you make MFA optional, users will be prompted to opt in to MFA when they next sign in.

If mandatory or after they opt in, users will be prompted to use (or choose) a secondary authentication method, through which they will receive a verification code. They will also be offered a set of recovery codes.

We suggest you advise users ahead of time if you are changing your sign in requirements, and if you require them to download an authenticator app such as Google Authenticator.

• On first time use, the user can scan a QR code to enable the verification method and get a verification code sent to their app of choice.
• On subsequent sign in, a verification code will appear in their authenticator app of choice, or they can use a recovery code to sign in.

• A code is sent to their email that they need to enter into the verification code field on sign up and sign in.

• A code is sent via SMS that they need to enter into the verification code field on sign up and sign in.

When a user signs in for the first time, or signs up as a new user, they will be offered a set of recovery codes that they can store for future use. They can then use a recovery code if they don’t have access to their authenticator app.

If you reset MFA for a user later - say if they lose their device or decide to opt in - then they will be issued with new recovery codes.