The Stytch team

2024.01.26 | TOTP and Recovery Codes for MFA

AUTHOR: The Stytch team

New MFA features for B2B SaaS Authentication

We are excited to announce the launch of Time-Based One-Time Passcodes (TOTP) and Recovery Codes as new multi-factor authentication (MFA) features in our B2B SaaS Authentication platform. 

Time-Based One-Time Passcodes 

TOTP enhances account security by ensuring only the person in possession of a registered device, typically through a mobile authenticator app like Google Authenticator, Microsoft Authenticator, Duo Mobile, and Authy, can access their account with a secondary auth factor. With Stytch’s flexible auth controls, developers have multiple options for implementing MFA in their multi-tenant applications: 

  • At the Organization level: MFA policies can be configured to require TOTP login for the entire Organization.

  • At the Member level: individual users can opt in to MFA for more security and specify TOTP as their default secondary factor. 

//MFA policy enforced at the Organization level
"organization": {
    "organization_id": "organization-test-07971b06...",
    "organization_name": "Example Org Inc.",
    "organization_slug": "example-org",
    "email_allowed_domains": [""],
    "mfa_policy": "REQUIRED_FOR_ALL",
    "mfa_methods": "RESTRICTED",
    "allowed_mfa_methods": ["totp"],
//MFA opt-in settings at the Member level
"member": {
    "member_id": "member-test-32fc5024-...",
    "name": "Example Member"
    "email_address": "",
    "mfa_enrolled": true,
    "default_mfa_method": "totp",
    "totp_registration_id": "member-totp-test-41920359...",

Recovery Codes

Alongside TOTP, we have also rolled out Recovery Codes. This is a failsafe mechanism designed to provide access to Members in the event they lose their TOTP device or encounter issues with it. Each member will receive a set of unique, one-time use recovery codes that can be used to regain access to their accounts. Developers can also fetch all active Recovery Codes for each Member and, when needed, generate new codes by rotating them.

Check out the Docs to start implementing secure MFA flows with TOTP and Recovery Codes. 

Where to find us

Stytch community Slack

Join the discussion, ask questions, and suggest new features in our Slack community!

Get support

Check out the Stytch Forum or email us at

Powered by LaunchNotes