> For the complete documentation index, see [llms.txt](https://oten.gitbook.io/identity-support/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://oten.gitbook.io/identity-support/user-guide/organization-admin-app/members/mfa-verification.md).

# MFA verification

### Scope <a href="#scope" id="scope"></a>

This document defines the **Multi-Factor Authentication (MFA) verification flow** for **Members** in a Business Organization.

MFA verification occurs **after successful email and password authentication**, when required by organization security policies.

Members **cannot configure, enable, or disable MFA methods**.

***

### I am new. Where should I start? <a href="#i-am-new.-where-should-i-start" id="i-am-new.-where-should-i-start"></a>

If you are a **Member**, MFA verification may appear during sign-in.

You only need to:

* Follow the on-screen verification instructions
* Use the MFA method required by your organization

No prior configuration is needed unless instructed by your administrator.

***

### Purpose <a href="#purpose" id="purpose"></a>

This guide helps Members understand:

* When MFA verification is required
* What MFA verification methods may be used
* How to complete MFA verification successfully

***

### Prerequisites <a href="#prerequisites" id="prerequisites"></a>

Before completing MFA verification:

* You have already signed in with email and password
* MFA is enabled or enforced by your organization
* You have access to the required verification method

***

### I already understand. How do I proceed step by step? <a href="#i-already-understand.-how-do-i-proceed-step-by-step" id="i-already-understand.-how-do-i-proceed-step-by-step"></a>

***

### 1. When MFA Verification Is Triggered <a href="#id-1.-when-mfa-verification-is-triggered" id="id-1.-when-mfa-verification-is-triggered"></a>

MFA verification is required when:

* Mandatory MFA is enforced by the organization
* Risk-based access control detects unusual behavior
* You sign in from a new device, location, or network

***

### 2. MFA Verification Methods <a href="#id-2.-mfa-verification-methods" id="id-2.-mfa-verification-methods"></a>

The verification method is automatically selected based on **organization policy**.

***

#### Option A: Authenticator App (TOTP) <a href="#option-a-authenticator-app-totp" id="option-a-authenticator-app-totp"></a>

**Step 1:** Select **Authenticator** as the verification method.

**Step 2:** Open your authenticator app on your mobile phone or tablet.

**Step 3:** Enter the verification code displayed in the app.

Once the code is validated, verification is completed automatically.

***

#### Option B: Email Verification Code <a href="#option-b-email-verification-code" id="option-b-email-verification-code"></a>

**Step 1:** Select **Email** as the verification method.

**Step 2:** Check your email inbox for the verification message.

**Step 3:** Enter the verification code provided.

Verification completes automatically once the code is validated.

**Note**: If you do not receive the verification code, see [What should I do if I don't receive a verification code when signing up or forgot password?](https://silvertiger.atlassian.net/wiki/spaces/QD/pages/193331260)

&#x20;

#### Option C: Passkey Verification (FIDO2 / WebAuthn) <a href="#option-c-passkey-verification-fido2-webauthn" id="option-c-passkey-verification-fido2-webauthn"></a>

**Step 1:** Passkey is selected as the default verification method.

**Step 2:** Click **Continue**.

**Step 3:** Verify your identity using a registered passkey.

Follow the on-screen instructions provided by your device to complete verification.

***

### 3. Verification Result <a href="#id-3.-verification-result" id="id-3.-verification-result"></a>

After successful MFA verification:

* Sign-in is completed
* You are redirected to your dashboard or assigned workspace
* Your session continues normally

***

### Failure and Retry <a href="#failure-and-retry" id="failure-and-retry"></a>

If MFA verification fails:

* You may retry within allowed limits
* Excessive failures may temporarily block sign-in
* You may be prompted to use an alternative method if allowed by policy

***

### Security Considerations <a href="#security-considerations" id="security-considerations"></a>

* Verification codes are time-limited and single-use
* Verification attempts are logged for audit purposes
* Rate limiting is applied to prevent abuse
* MFA may be required again for high-risk actions

***

### Important Notes <a href="#important-notes" id="important-notes"></a>

* Members cannot change MFA settings
* MFA methods are enforced by the organization
* Password reset does not disable MFA enforcement
* Loss of access to MFA method requires administrator assistance

***

### Summary <a href="#summary" id="summary"></a>

| Item              | Member                        |
| ----------------- | ----------------------------- |
| MFA Configuration | ❌ Not allowed                 |
| MFA Verification  | ✅ Required (if enforced)      |
| Supported Methods | Authenticator, Email, Passkey |
| Retry Attempts    | ✅ Limited                     |
| MFA Bypass        | ❌ Not supported               |
