🎉 BastionAuth is in public beta. Read the announcement →
Guides
Multi-Factor Auth

Multi-Factor Authentication (MFA)

BastionAuth supports Time-based One-Time Passwords (TOTP) as a second factor for authentication.

Enabling MFA

Users can enable MFA from their account settings. The flow involves:

  1. Requesting a TOTP secret and QR code
  2. Scanning the QR code with an authenticator app (Google Authenticator, Authy, etc.)
  3. Verifying a code to confirm setup
  4. Saving backup codes

Backup Codes

When MFA is enabled, 10 single-use backup codes are generated. These can be used if the user loses access to their authenticator device.

API Reference

See the API Reference for MFA endpoints:

  • POST /auth/mfa/enable
  • POST /auth/mfa/verify
  • POST /auth/mfa/validate
AuthenticationOrganizations