MFA authentication step

A step in the Journey Builder is a component used to configure and customize a login, registration, or self-service workflow.

The MFA step in the Journey Builder introduces an extra layer of protection to the authentication process. By incorporating this step, you can enhance security, while also offering a flexible and user-friendly authentication experience.

Capabilities

  • Ability to select from different MFA policies within the application to meet specific security requirements and customer needs.
  • Implement conditional logic to determine when MFA is required, based on factors such as user roles, risk levels, or location.
  • Control whether customers are required to authenticate every time or allowed to skip MFA based on device recognition settings.

Sample use cases

  • Use MFA for users identified as high-risk based on their behavior, location, or role. For example, if a login attempt is made from a new device or an unfamiliar location, the system can prompt the user to complete MFA.
  • During the registration process, prompt users to enroll in MFA by setting up their preferred authentication methods.
  • Force an authentication before a customer makes a high-risk transaction.
  • Respect remembered devices and allow customers to skip MFA if they have previously authenticated and opted to remember their device.

Configuration

To add an identity verification step to your journey, follow the steps below.

  1. Select the Journey Builder in the left-hand menu on the Admin Console.
  2. To create a new journey, select Create journey or select an existing journey to edit.
  3. In the journey builder, select the + icon in the upper left-hand corner to add a new step to the journey. Choose MFA authentication from the available options.
  4. After placing the step, connect it to other steps, depending on how it interacts with the workflow. Configure where each outcome (authenticated, notAvailable, or failure) directs the customer.
  5. Select the MFA authentication step and click the pencil icon to edit its settings.

Within the settings:

  • Step name (optional): Specify a name for the step. This is only visible in the journey editor.
  • Adaptive access policy: Select an Adaptive Access policy already configured in your application or identity store. Leave it blank to use the application or organization-defined policy.
  • Force customers to authenticate:
    • When enabled, customers must complete MFA every time, even on recognized devices, and the "Remember this device" option is not offered.
    • When disabled, the step respects remembered devices. Customers are prompted for MFA only if their device is not recognized and can choose to "Remember this device" for future sessions.

Device session handling:

  • Successful MFA authentications update the device session if the customer chooses to remember their device.
  • Failed authentications do not update or store any remembered device data.

📘

If multiple MFA authentication steps are configured in a single journey, the final completed step controls whether the customer's device is remembered. Earlier steps do not overwrite the result if they are skipped or failed.