Today, we’re announcing an exciting new addition to Stormpath: multi-factor authentication. We’ve heard time and time again from customers about the demand for this feature, and are proud to have built one of the best solutions for MFA.

With many ways for users to accidentally expose their passwords, whether in a breach or against phishing attacks, it’s important that applications that care about security offer ways for users to protect themselves. Multi-factor authentication secures users from unauthorized access to their account.

We’ve built a flexible solution that’s useful for a variety of use cases. Not only can you use Stormpath to do traditional two-factor authentication upon login, you can use this feature to protect sensitive operations, and even use it to validate users when their identity is suspicious.

Stormpath makes it easy for developers to build multi-factor authentication in conjunction with our complete solution for identity and user management, and I’m excited to give you a quick overview of how it works.

Using Google Authenticator

Google Authenticator uses the TOTP (Time-based One Time Password) algorithm to allow you to securely validate your user’s identity. This algorithm works by sharing a “secret” between the user and the application, and uses the secret and the current timestamp to generate a code meant for immediate use. Many other apps are also compatible with Google Authenticator, including Authy and Duo Security, and can be used with Stormpath.

To use this form of MFA, we’ll start the process by adding Google Authenticator to an account in Stormpath:

This will create a “factor” on the user account, which you can now query for and use to validate the user’s 2FA codes.

Google Authenticator on my Stormpath Account

When you create the factor, one of the properties that Stormpath gives you is a base64QRImage. If you display it to your user, they can now scan it and pair their authenticator app. Try scanning this demo QR code with Google Authenticator (download iOS or Android), Authy, or another TOTP-compatible authenticator app!

Google Authenticator QR Code

I personally like using Authy as an authenticator app, so you can see it’s added it to my Authy profile alongside my Coinbase account:

Stormpath on Authy

As the developer, whenever I ask the user for the authentication code, I’ll POST it back to Stormpath to check if it’s valid:

If valid, Stormpath will present a success code which will allow you to proceed! Otherwise, your application needs to decide what to do next.

Using SMS Authentication

In addition to Google Authenticator, Stormpath also supports using SMS to send verification codes to your user. Why SMS? While there are problems with using SMS for authentication, not every end user has a smartphone, or is willing to download an app for that extra bit of protection. In those scenarios, SMS is still useful to increase the security if your app by providing another way to validate the identity of your users.

Stormpath uses a mix of telephony carriers to send SMS messages to your customers, and ensures that you’ll have reliable deliverability for your SMS authentication messages.

SMS authentication works in a similar way to our Google Authenticator flow. We’ll start out by adding a phone number factor to a Stormpath account:

Now, you can tell Stormpath to send a SMS challenge to the account’s factor:

Here’s the verification code on my phone:

Two Factor Authentication Challenge Message

Just like Google Authenticator, you’ll post it back to Stormpath, which will validate the code, and allow you to proceed in confidence about your user!

Secure Your Application Today

Wasn’t that easy? We think multi-factor authentication is a huge value-add for Stormpath customers, and we’re excited for you to start using it.

Multi-factor authentication is now available in the Stormpath REST API, and will be available in the SDKs soon. We’re excited to help you secure your apps, and are excited to see what you build!

Questions? Tweet @goStormpath for answers, or email us at [email protected] with any questions you have! We’re always happy to help you build something awesome with Stormpath!

Using one of the SDKs? Track when MFA is in the Node.js, Java, Python, .NET, PHP, and Ruby SDKs.