Edit

MFA (multi-factor authentication)

The table below provides a comprehensive overview of the Flashback API multi-factor authentication endpoints, grouped by functional area. Each section lists the available HTTP functions along with a concise description of their purpose, helping developers understand how to implement secure multi-factor authentication.

Multi-factor authentication enhances security by requiring users to provide additional verification beyond their password. The Flashback platform supports multiple MFA methods including Google Authenticator, Magic Links, and WebAuthn Passkeys.

MFA Status & Methods API Calls

Method
API Reference
Description

GET/mfa/status

get__mfa_status

Get the current MFA status for the authenticated user.

GET/mfa/methods

get__mfa_methods

Get available MFA methods and their configuration status.

MFA Setup & Configuration API Calls

Method
API Reference
Description

POST/mfa/setup

post_mfa_setup

Initialize setup for an MFA method.

POST/mfa/verify-setup

post__mfa_verify-status

Verify and complete MFA setup process.

POST/mfa/enable

post__mfa_enabled

Enable a configured MFA method.

POST/mfa/disable

post_mfa_disable

Disable an enabled MFA method.

MFA Management API Calls

Method
API Reference
Description

POST/mfa/primary

post__mfa_primary

Set the primary MFA method for the user.

POST/mfa/reset

post__mfa_reset

Reset user's MFA configuration (self-service).

POST/mfa/organization/enforce

post__mfa_organization_enforce

Enforce MFA for organization members (admin only).

Magic Link MFA API Calls

Method
API Reference
Description

POST/mfa/magic-link/send

post__mfa_magic-link_send

Send magic link for MFA verification.

POST/mfa/magic-link/activate

post__mfa_magic-link_activate

Activate magic link MFA during setup.

Passkey MFA API Calls

Method
API Reference
Description

POST/mfa/passkey/auth-options

post__passkey_auth-options

Generate authentication options for passkeys.

POST/mfa/passkey/complete-registration

post__mfa_passkey_complete-registration

Complete passkey registration process.

POST/mfa/passkey/complete-registration-1

post__mfa_passkey_complete-registration-1

Alternative passkey registration endpoint.

MFA Authentication Flow

1. Setup Phase

  • User initiates MFA setup with /mfa/setup

  • System generates configuration data (QR codes, challenges, etc.)

  • User completes verification with /mfa/verify-setup

  • MFA method is enabled with /mfa/enable

2. Authentication Phase

  • User provides primary credentials (username/password)

  • System prompts for MFA verification

  • User completes MFA challenge

  • Full access is granted upon successful verification

3. Management Phase

  • Users can manage their MFA methods

  • Set primary MFA method

  • Enable/disable specific methods

  • Reset MFA configuration when needed

Supported MFA Methods

  • Google Authenticator: Time-based one-time passwords (TOTP)

  • Magic Links: Secure email-based authentication

  • Passkeys: WebAuthn-based biometric or hardware key authentication

Security Note: MFA significantly enhances account security. Always use HTTPS in production and ensure proper session management. Users should have backup MFA methods configured.

Previousput__user_{userId}_roleNextget__mfa_status

Last updated

Was this helpful?