7min

BlokSec for MFA / 2FA

Although we feel that BlokSec is best used as a strong primary authentication factor in place of passwords and multi-factor authentication (MFA / 2FA) (indeed, BlokSec immutable authentication is stronger than passwords + legacy MFA combined) it can still be used to act as an additional authentication factor in the following scenarios:

  • As multi-factor authentication (MFA) or second-factor authentication (2FA) during the login process after the user has provided valid username + password credentials
  • During a sensitive operation such as when changing profile information (e.g., email address) as this is often how account take-overs occur
  • As part of a financial transaction such as an online shopping check-out flow or money transfer request

Pre-requisites

In order to use the required APIs, you will need an application created in the administrative console from which you can get the Application ID (required for the x-application-id header) and Application Secret (required for the x-application-secret header) required to authorize the API call. Please see Custom OIDC for instructions

Registration

Before users can use BlokSec for MFA / 2FA, they must be registered. Registrations are sent to users via email; the email contains a link to the registration request which must be retrieved by their authenticator app (e.g., yuID, or your custom authenticator application) to complete the linking of their account with their authenticator instance. How and when you register users is up to you, but it is important only to ensure that registrations are only sent to trusted, verified email addresses. We do recommend including registration as part of the new user onboarding process for your application while the user's identity is being established.

To register a user with BlokSec, call the POST /registration API:

For help on using the API including the schema, expected request values, and expected response, please see the OpenAPI documentation at the link above.

If you would like to check the status of a registration request, you can look it up with the GET /registration/{registrationId} API with the registration ID returned by the POST /registration API:

Authentication / Authorization

Once a user has been registered, they're ready to perform MFA / 2FA authentication during login. You can also use the BlokSec service to perform step-up authorization during important transactions. To send an auth* request (auth = authentication or authorization) you invoke the POST /auth API:

Note that this is a synchronous API so your call will block while waiting for the user's response. We suggesting showing a user-friendly message along with a spinner to provide the user with feedback that a response is pending their action.