MFA enrollment step

The MFA registration step allows customers to enroll in one or more multi-factor authenticators as part of their account setup.

Depending on the Adaptive Access policy assigned to the application, this step can be configured to require one or more MFA methods or to make enrollment optional.

Depending on the methods made available:

• The customer is prompted to choose and register one or more MFA methods.
• For each method, they are guided through the steps required to complete the setup.
• Upon completion, they are shown a confirmation screen before continuing.

Supported authenticators

Customers can register any of the following supported MFA methods:

• Email-based MFA: Customers receive a one-time passcode to their email address and enter it on screen to complete verification. Depending on configuration, magic link delivery may also be available.
• Phone-based MFA (SMS): A one-time passcode is sent via SMS to the customer’s phone number. This method can also deliver a magic link, based on policy configuration.
• TOTP-based apps (e.g., Google Authenticator): Customers scan a QR code using their authentication app and verify by entering the generated passcode.
• Platform biometric authenticators: Customers can register a FIDO2-compatible computer or phone biometric as an authenticator.
• Security keys: Customers can register a FIDO2-compatible hardware key (for example, YubiKey).
• Passkeys: Passkey promotion can be enabled as a follow-up step after a successful MFA enrollment.

Settings that affect this step

The customer experience at this step depends on the following configurations:

• Adaptive Access policy:
  • Defines which MFA methods are available.
  • Controls whether their registration is optional or mandatory.
• Branding policy: Controls the appearance and text of each MFA registration screen.

What happens next

After MFA registration is complete, the customer continues to the next step of the registration journey. This could include passkey promotion (if configured) or any other subsequent step, such as account activation or redirection to a post-registration destination.

Extensibility points

Before and after the MFA registration step, the following extensibility points are available:

Before authenticator enrollment: This hook allows you to customize the MFA enrollment workflow based on customer behavior or information collected from external systems such as CMRs, marketing hubs, or data analytics platforms. Additionally, it can override the MFA enrollment plan defined in the adaptive access policy for the application. You can control the appearance of enabled authenticators, such as email, phone, platform biometrics, etc. However, the methods associated with those authenticators (e.g., magic link, passcode) cannot be configured through the event hook. This hook also lets you enforce a specific email or phone number authenticator, even when restrictions apply. You can require customers to enroll in one of the enabled authenticators if every method is set to optional in the basic MFA flow, or prompt them to change their password. Synchronous hook.

After MFA change: This hook can trigger an external event or fetch data from an external system once the customer has completed the verification of a new/additional MFA factor during enrollment or removed a factor. Asynchronous hook.