Two-Factor Authentication (2FA)
This section explains how 2FA works, how to enable and disable it, and how to log in with 2FA activated.
Two-Factor Authentication (2FA) is an additional security layer for account access. After entering email and password during sign-in process, users must verify their identity using a six-digit code sent to the email. This feature ensures compliance with security standards and protects users' data.
Important
Per security requirements, 2FA is enabled by default for all users. However, if you wish to make 2FA optional for your users and assume the associated risks, contact your Account Manager to arrange this.
How to enable or disable Two-Factor authentication
The same process applies for both enabling and disabling.
The users will be able to manage 2FA themselves via their profiles in case you make 2FA optional
Step 1. Switch the current method
Endpoint:
POST /reg/mfa/authorization/switch
Use this endpoint to enable or disable Two-Factor authentication β it sends a confirmation code and returns a 200 OK response if the request is successful.
Step 2. Confirm switching the method
Endpoint:
POST /reg/mfa/authorization/switch/confirm
A valid confirmation code sent via previous endpoint must be provided. If the code is correct, the MFA method is switched, and a 200 OK response is returned.
Confirmation code requirements
code format:
- 6-digit numeric code;
- only numbers allowed;
code expiry:
- valid for 5 minutes;
- expired codes cannot be used for verification;
resend policy:
- a new code can be requested once every 60 seconds;
- frequent requests are restricted;
verification attempts & account lock:
- users have 5 attempts to enter the correct code;
- after 5 failed attempts, the account is temporarily locked;
- the account automatically unlocks after a predefined period.
To find out if 2FA is enabled for your account you can use Retrieve User Information endpoint:
Response Example
{
...
"authorizationMfaActive": false
}
The authorizationMfaActive field returns true if two-factor authentication is enabled, and false if it is disabled.
How to log in with 2FA enabled
If 2FA is activated, the standard authorization process includes an additional step for entering the code.
Step 1. Enter Email and Password
Endpoint:
POST /reg/v1/auth/token
Body Parameters:
| Name | Type | Required | Description |
|---|---|---|---|
email | string | β | Email address of the user. |
password | string | β | Password associated with the user account. |
Headers:
| Name | Type | Required | Description |
|---|---|---|---|
partnerId | int32 | β | Partner ID provided by the Key Account Manager. |
grantType | string | β | OAuth2.0 grant type (password_email). |
If you receive this response, it indicates that 2FA is enabled for the account. A verification code has been sent to the user's email and must be submitted in the next request.
Response Example:
{
"status": "FAILED_DEPENDENCY",
"message": "2FA is required for this account",
"traceId": "TraceId unavailable",
"errors": []
}
A confirmation code is sent to user's email.
Step 2. Enter confirmation code
Endpoint:
POST /reg/v1/auth/token
Use this endpoint again and enter confirmation code.
Body Parameters:
| Name | Type | Required | Description |
|---|---|---|---|
email | string | β | Email address of the user. |
password | string | β | Password associated with the user account. |
mfaCode | string | β | Confirmation code sent to the user's email. |
Headers:
| Name | Type | Required | Description |
|---|---|---|---|
partnerId | int32 | β | Partner ID provided by the Key Account Manager. |
grantType | string | β | OAuth2.0 grant type (password_email). |
Response Example:
{
"access_token": "string",
"token_type": "Bearer",
"refresh_token": "string",
"scope": "exchange:show payin:show user_mfa:read user_mfa:create deposit_crypto:show withdraw_crypto:show cardholder_user:show bank_account:show",
"expires_in": 604800,
"user_id": "usr:97194684-29f8-468f-8a67-249f30240655"
}
As a result, the user receives a new access token.
How to resolve possible errors
| Error message | Resolution Method |
|---|---|
This confirmation code has expired. Please request a new one. | Request a new code via the same endpoint and try again. |
You are requesting codes too frequently. Wait a moment and try again. | Wait 60 seconds before requesting a new code. |
This confirmation code is invalid. Ensure youβre using the latest code sent. Attempts remaining: 4. | Check the code in the most recent email and re-enter it. |
Your session has expired or is no longer valid. Please log in again. | Your tokens are revoked, requiring re-authentication. Log in and repeat the process. |
Your account is temporarily locked due to security concerns. | The account is locked temporarily and unlocks automatically. Wait or contact support to unlock the account. |
Failed 2FA code attempts do not count as failed login attempts. After successful 2FA code validation, the attempt counter resets, allowing 5 new attempts for subsequent logins.
Updated 24 days ago