Multi-factor authentication
NamoID adds a second factor on top of password and OTP sign-ins. Multi-factor authentication (MFA) is configured per environment and enforced at the hosted login: when a user with MFA enrolled signs in, they complete a second-factor challenge before an authorization code is issued.
Supported factors
- TOTP — time-based one-time passwords from any authenticator app (Google Authenticator, Authy, 1Password, etc.). Enrollment shows a QR code plus a manual secret; verification accepts the rolling 6-digit code.
- Backup codes — a set of single-use recovery codes generated at enrollment, for when the authenticator device is unavailable.
- Passkeys — a passkey is inherently two-factor (possession of the device + biometric/PIN), so a passkey sign-in satisfies MFA without a separate step. See Passkeys.
Enrollment
A user enrolls from the hosted account pages: they scan the TOTP QR code, confirm a code to prove the authenticator is set up, and are then shown their backup codes once to store safely. After enrollment, subsequent sign-ins present the MFA challenge.
Enforcement modes
MFA enforcement is an environment setting:
- Optional — users may enroll but aren't required to.
- Required — users must enroll before they can complete sign-in; the hosted login walks them through enrollment on next sign-in if they haven't yet.
The mode is set per environment, so you can require MFA in live while keeping
test frictionless.
Backup codes
Backup codes are single-use. When a user signs in with a backup code instead of their authenticator, that code is consumed and can't be reused. Users can regenerate their set from the account pages, which invalidates any unused codes from the previous set.
Challenge rate limits
The MFA challenge endpoint is rate-limited per target and per IP, so a stolen password can't be paired with an online brute-force of the second factor. A sustained failure pattern is captured in the audit log as a security event — see Audit & DSAR.
Events
MFA actions emit audit events (enrollment, challenge success/failure, backup code consumption), giving you a complete record of second-factor activity per user.