The MFA (multi-factor authentication) flow adds an MFA action to authentication flow. The flow transitions to the DEVICE_SELECTION_REQUIRED flow state and calls the device.select action to specify the device used for the MFA action. If an email or SMS device is selected, the flow transitions to the OTP_REQUIRED flow state and calls the otp.check action to send a one-time password (OTP) to the user’s specified device. After the OTP is issued and the user submits the correct OTP, the flow completes.

MFA

Push authentication

This branch of the MFA flow shows the flow states for a push authentication confirmation action (on a mobile device). The flow starts at the DEVICE_SELECTION_REQUIRED flow state and calls the device.select action to specify the device used for the MFA action. If a mobile device is selected, the flow transitions to the PUSH_CONFIRMATION_REQUIRED flow state. If the user taps the APPROVE option, the flow transitions to the COMPLETED flow state. If the user taps the DENY option, the flow transitions to the FAILED flow state.

If the user does not respond to the push authentication confirmation request, the request times out. The flow transitions to the PUSH_CONFIRMATION_TIMED_OUT flow state and uses the device.select action to prompt the user to select a device for the MFA action. The user can retry with the same device or choose another device. If the user chooses to retry with the same device (or with a different mobile device), the flow transitions to the PUSH_CONFIRMATION_REQUIRED flow state. If the user selects an email or SMS device, the flow transitions to the OTP_REQUIRED flow state and uses the otp.check action to complete the MFA sign-on action.