Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA)#

Overview#

Rave supports Multi-Factor Authentication (MFA), also known as two-factor authentication (2FA), to enhance account security. When users enable MFA for their accounts, they are required to complete an additional verification step during sign-in. This provides an extra layer of protection by combining two different types of verification.

MFA is a widely-used security feature that gives users control over their account safety, ensuring that even if one factor (such as a password) is compromised, unauthorized access is prevented.

Note

MFA is not enforced when signing in via Passkey authentication. Passkeys inherently provide a high level of security by leveraging public key cryptography, making an additional MFA step redundant.

How It Works#

Enabling MFA#

Administrators can enable MFA for an application through the Rave Developer Portal:

  1. Navigate to the Apps section.

  2. Find the desired application and click on its Settings.

  3. On the Application Details page, click on the Edit application settings button.

  4. Enable the Enforce OTP second factor authentication option.

  5. Save the changes to enable MFA to the selected application.

Registering OTP#

Users can set up MFA by linking their Rave account to an OTP (One-Time Password) application such as Google Authenticator or Authy. The setup process involves:

  1. Generating a provisioning URI (typically displayed as a QR code).

  2. Scanning the QR code with their OTP application.

  3. Verifying the generated OTP to complete the setup.

Signing In with MFA#

Once MFA is enabled and set up, users must provide their OTP during the sign-in process. This ensures that access is granted only to verified users with access to their registered device.

If users cannot access their OTP application, they can use a backup code as an alternative. Backup codes are generated during the MFA setup process and can be used for account recovery.

Managing Backup Codes#

Backup codes are essential for account recovery when users cannot generate OTPs. Users can:

  • View existing backup codes.

  • Generate a new set of backup codes, which invalidates any previous codes.

Disabling MFA#

MFA can be disabled by users or administrators if necessary. Disabling MFA removes the additional verification step, reverting to the default single-factor authentication method.

MFA Settings#

Administrators can configure MFA for their applications via the Rave Developer Portal by enforcing OTP as a mandatory requirement for user sign-in.

Extended Authentication Features#

When MFA is enabled for an application, the session creation process may require users to provide a valid OTP or backup code. If users attempt to authenticate without providing the required OTP and receive a “207 OTP Code Required” response, the application should prompt them to enter their OTP or backup code to complete authentication.

Contents