How do I set up MFA for my users?
Forte has multi-factor authentication built in for your project's end users — you don't add a separate MFA vendor. You turn it on per project and choose how strict it is.
Turn it on
MFA is configured on the project, next to your other authentication settings, in the console or via the CLI. Pick an enforcement mode:
- Disabled — MFA is off (the default).
- Optional — users who have a second factor are challenged for it; users who don't sign in normally.
- Required — every user must pass a second factor, and a user who has none is forced to enroll one before they get a session.
Then choose which second factors to allow: authenticator app (TOTP), passkeys and security keys (WebAuthn), email one-time passcode, and SMS one-time passcode. Backup codes are always available for recovery.
Handle it in your app
Every first-factor login call returns an mfaStatus. When it's CHALLENGE_REQUIRED, you're holding a short-lived pending token — send the challenge, collect the code, and call verify to exchange it for a full session. The MFA documentation has copy-paste examples in TypeScript, Java, and Python, plus the full error reference.
A good default
The strongest common setup is password login with enforcement Required and the authenticator-app and/or passkey factors enabled — that puts every user through a real second factor on a channel independent of their password. See Sessions for how pending and full tokens differ.