MFA enrollment step

The MFA registration step allows customers to enroll in one or more multi-factor authenticators as part of their account setup.

Diagram showing the MFA enrollment step within the registration journey. The preceding step is Identity verification, and the following step is Passkey promotion. Two optional lifecycle event hooks are shown: “Before authenticator enrollment” (before the step) and “After MFA change” (after the step, marked as asynchronous).

The MFA registration step within the registration journey

Depending on the Adaptive Access policy assigned to the application, this step can be configured to require one or more MFA methods or to make enrollment optional.

Depending on the methods made available:

  • The customer is prompted to choose and register one or more MFA methods.
  • For each method, they are guided through the steps required to complete the setup.
  • Upon completion, they are shown a confirmation screen before continuing.

Supported authenticators

Customers can register any of the following supported MFA methods:

Settings that affect this step

The customer experience at this step depends on the following configurations:

What happens next

After MFA registration is complete, the customer continues to the next step of the registration journey. This could include passkey promotion (if configured) or any other subsequent step, such as account activation or redirection to a post-registration destination.

Extensibility points

Before and after the MFA registration step, the following extensibility points are available:

Before authenticator enrollment: This hook allows you to customize the MFA enrollment workflow based on customer behavior or information collected from external systems such as CMRs, marketing hubs, or data analytics platforms. Additionally, it can override the MFA enrollment plan defined in the adaptive access policy for the application. You can control the appearance of enabled authenticators, such as email, phone, platform biometrics, etc. However, the methods associated with those authenticators (e.g., magic link, passcode) cannot be configured through the event hook. This hook also lets you enforce a specific email or phone number authenticator, even when restrictions apply. You can require customers to enroll in one of the enabled authenticators if every method is set to optional in the basic MFA flow, or prompt them to change their password. Synchronous hook.

After MFA change: This hook can trigger an external event or fetch data from an external system once the customer has completed the verification of a new/additional MFA factor during enrollment or removed a factor. Asynchronous hook.