search
githubEdit

shield-checkMFA (multi-factor authentication)

The table below provides a comprehensive overview of the Flashback API multi-factor authentication endpoints, grouped by functional area. Each section lists the available HTTP functions along with a concise description of their purpose, helping developers understand how to implement secure multi-factor authentication.

circle-info

Multi-factor authentication enhances security by requiring users to provide additional verification beyond their password. The Flashback platform supports multiple MFA methods including Google Authenticator, Magic Links, and WebAuthn Passkeys.

hashtag
MFA Status & Methods API Calls

Method
API Reference
Description

GET/mfa/status

get__mfa_status

Get the current MFA status for the authenticated user.

GET/mfa/methods

get__mfa_methods

Get available MFA methods and their configuration status.

hashtag
MFA Setup & Configuration API Calls

Method
API Reference
Description

POST/mfa/setup

post_mfa_setup

Initialize setup for an MFA method.

POST/mfa/verify-setup

post__mfa_verify-setup

Verify and complete MFA setup process.

POST/mfa/enable

post__mfa_enable

Enable a configured MFA method.

POST/mfa/disable

post_mfa_disable

Disable an enabled MFA method.

hashtag
MFA Management API Calls

Method
API Reference
Description

POST/mfa/primary

post__mfa_primary

Set the primary MFA method for the user.

POST/mfa/reset

post__mfa_reset

Reset user's MFA configuration (self-service).

POST/mfa/organization/enforce

post__mfa_organization_enforce

Enforce MFA for organization members (admin only).

hashtag
Magic Link MFA API Calls

Method
API Reference
Description

POST/mfa/magic-link/send

post__mfa_magic-link_send

Send magic link for MFA verification.

POST/mfa/magic-link/activate

post__mfa_magic-link_activate

Activate magic link MFA during setup.

hashtag
Passkey MFA API Calls

Method
API Reference
Description

POST/mfa/passkey/auth-options

post__passkey_auth-options

Generate authentication options for passkeys.

POST/mfa/passkey/complete-registration

post__mfa_passkey_complete-registration

Complete passkey registration process.

POST/mfa/passkey/complete-registration-1

post__mfa_passkey_complete-registration-1

Alternative passkey registration endpoint.

hashtag
MFA Authentication Flow

hashtag
1. Setup Phase

  • User initiates MFA setup with /mfa/setup

  • System generates configuration data (QR codes, challenges, etc.)

  • User completes verification with /mfa/verify-setup

  • MFA method is enabled with /mfa/enable

hashtag
2. Authentication Phase

  • User provides primary credentials (username/password)

  • System prompts for MFA verification

  • User completes MFA challenge

  • Full access is granted upon successful verification

hashtag
3. Management Phase

  • Users can manage their MFA methods

  • Set primary MFA method

  • Enable/disable specific methods

  • Reset MFA configuration when needed

hashtag
Supported MFA Methods

  • Google Authenticator: Time-based one-time passwords (TOTP)

  • Magic Links: Secure email-based authentication

  • Passkeys: WebAuthn-based biometric or hardware key authentication

circle-exclamation

Security Note: MFA significantly enhances account security. Always use HTTPS in production and ensure proper session management. Users should have backup MFA methods configured.

Previousput__user_{userId}_roleNextget__mfa_status

Last updated

Was this helpful?