Enable 2FA

If you’re using Hosted Login v2, you can enable 2FA by adding the authentication.second_factor setting in the Identity Cloud Console.

In general, settings can be added to Global Settings or to a specific property. In this case, 2FA should not be enabled as a global setting unless all your clients are configured to use Hosted Login v2. If you still have v1 clients, 2FA should be enabled at the property level only.

The steps below enable 2FA for a specific property:

  1. Navigate to your application in the Identity Cloud Console
  2. Navigate to MANAGE PROPERTIES
  3. Click the Actions menu ( ) for your Login Client and select Edit. This will take you to the page for viewing and editing your property. View/Edit property in Console
  4. Click the EDIT SETTINGS button at the bottom of the Settings section
  5. Click the Add Setting icon (Add Setting button). This will add a new line to the bottom of the list.
  6. Type or paste in the new setting name: authentication.second_factor
  7. Click on the Create authentication.second_factor. popup Create 2FA setting in Console
  8. Type in the value for this setting: true 2FA setting value in Console

    If you ever want to disable 2FA, you can set this value to false or delete this setting.

  9. Click the Save icon (Save button)

It may take a few minutes for your changes to be reflected in Hosted Login after you add or update a setting in Console.

The next time you perform a login or registration, you will be prompted to provide the code that was sent to your email address. 2FA code screen in Hosted Login

Note that if the user has a valid mobileNumber value in their profile, this screen will look a bit different. We’ll get into this next.

SMS for 2FA

NOTE! You can start using SMS immediately, however there will be transactional cost incurred when SMS messages are sent in Production. If you plan to use this service, please reach out to your Akamai Identity Cloud representative for details.

When 2FA is enabled, the default behavior is to send the second-factor authentication code to the user’s email address.

Alternatively, the code can be sent to the user’s mobile device via SMS message. This option is automatically enabled for any end user with the expected mobile number value in their profile (as defined below). 2FA options screen in Hosted Login

Specifically, the following is required in order for SMS 2FA to work:

  1. The schema must contain these two top-level attributes:

    • mobileNumber
    • mobileNumberVerified

  2. The value stored in the mobileNumber attribute in the user record must be a valid phone number including country code, with no spaces, dashes, dots or parentheses.

    • Examples of acceptable and unacceptable US phone number format as stored in the user record:

      • 13216540987
      • +13216540987
      • 3216540987 (missing country code)
      • 1-321-654-0987
      • 1 (321) 654-0987
      • 1.321.654.0987

    • When a user adds their mobile number to their profile, the Hosted Login screen handles validation to ensure the phone number will work properly with 2FA. The user-friendly input field provides a country code drop-down and auto-formatting, and writes the required format to the user record. mobileNumber in Hosted Login

Hosted Login’s SMS for 2FA works internationally!

Add required attributes

You can check your schema in the Identity Cloud Console to see if you have the root-level mobileNumber and mobileNumberVerified attributes, which are required for 2FA via SMS to be enabled. 2FA options screen in Hosted Login

See Add SMS Attributes in the Hosted Login v2 Upgrade Guide for steps to check for these attributes and add them if they are missing.