Guides

MFA

Suggest Edits

Multi-Factor Authentication (MFA) is a security system that requires more than one method of authentication from independent categories of credentials to verify the user's identity. This typically involves something the user knows (like a password) and something the user has (like a smartphone app generating a one-time password or OTP). Implementing MFA enhances security by adding an extra layer of protection.

Creating a Two-Factor Authenticator

To set up MFA, you first need to create a two-factor authenticator. This can be done by making a request to the POST /reg/mfa/associate endpoint.

Body Parameters:

{  
  "type": "otp" //a string indicating the type of two-factor authentication. For OTP, this should be `"otp"`. This parameter is required.
}

Example Response

On successful creation, the server responds with details of the authenticator:

{  
  "authenticator_type": "otp", //the type of authenticator, in this case, "otp".  
  "barcodeUri": "otpauth://totp/example%40gmail.com?secret=SOMNVLF2TQ7XL&issuer=SELF", //URI that can be used to generate a QR code for easy scanning with an authenticator app like Google Authenticator.
  "twoFactorId": "48b7084c-7edd-47a2-ba48-2abed71aa7c9", //a unique identifier for the two-factor authenticator.  
  "active": true //a boolean indicating whether the authenticator is active.
}

Viewing Created Authenticators

Once the two-factor authenticator is created, you can retrieve the list of all configured authenticators using a request to the GET /reg/mfa/authenticators endpoint.

Example Response

The response will be a list of authenticators, with details about each:

[
  {  
    "authenticator_type": "otp", //the type of the authenticator  
    "id": "d31b0f0f-15ed-4824324e5-a168-5ff845dcd7c4", //the unique identifier of the authenticator.  
    "active": false //indicates whether the authenticator is currently active. 
  }
]

Conclusion

Setting up MFA with OTP provides an extra layer of security by ensuring that even if a user's password is compromised, their account remains protected by a second authentication factor. The API endpoints provided by Vault make it easy to create, manage, and retrieve information about these two-factor authenticators.

Updated 2 months ago