The MFA (multi-factor authentication) flow adds an MFA action to authentication flow. The flow transitions to the DEVICE_SELECTION_REQUIRED
flow state and calls the device.select
action to specify the device used for the MFA action. If an email or SMS device is selected, the flow transitions to the OTP_REQUIRED
flow state and calls the otp.check
action to send a one-time password (OTP) to the user’s specified device. After the OTP is issued and the user submits the correct OTP, the flow completes.
This branch of the MFA flow shows the flow states for a push authentication confirmation action (on a mobile device). The flow starts at the DEVICE_SELECTION_REQUIRED
flow state and calls the device.select
action to specify the device used for the MFA action. If a mobile device is selected, the flow transitions to the PUSH_CONFIRMATION_REQUIRED
flow state. If the user taps the APPROVE
option, the flow transitions to the COMPLETED
flow state. If the user taps the DENY
option, the flow transitions to the FAILED
flow state.
If the user does not respond to the push authentication confirmation request, the request times out. The flow transitions to the PUSH_CONFIRMATION_TIMED_OUT
flow state and uses the device.select
action to prompt the user to select a device for the MFA action. The user can retry with the same device or choose another device. If the user chooses to retry with the same device (or with a different mobile device), the flow transitions to the PUSH_CONFIRMATION_REQUIRED
flow state. If the user selects an email or SMS device, the flow transitions to the OTP_REQUIRED
flow state and uses the otp.check
action to complete the MFA sign-on action.