How to Setup Multi-Factor Authentication

Protecting your user accounts is very important to most people. Multi-Factor Authentication is a method that requires users to provide an additional randomly generated secret during the authentication process to validate their identity should a password secret have been compromised.

Setting up Multi-Factor Authentication for a user account is fairly straight forward. First, authenticate the user using an existing secret such as a password. Once authenticated you can now create an mfa secret.

POST /users/00000000-0000-0000-0000-000000000000/secrets HTTP/1.1
Host: api.demo.goaxr.cloud
Content-Type: application/json
Authorization: jwt f902e78f90827f2.f20978f23v9807039q.2vf9287vf93q879038q27f029q87vf90q2

{
    "type": "mfa",
}

Upon success, the system will return the newly created secret containing the MFA information needed to register a compatible MFA device. An example is shown below.

200 OK
Content-Type: application/json

{
    "type": "mfa",
    "secret": {
        "otpauth_url": "https://api.demo.goaxr.cloud/v1/auth/totp",
        "secret": "flkj32q979bv7f98327vf93q"
    }
}

At this point while MFA has been initialized for the account it is not activated yet. Use the provided otpauth_url and secret to register the user’s MFA device. Then, using an initial generated code send a PUT request to the /users/:userId/secrets/:secretId endpoint containing the code to complete the MFA enrollment.

For example; imagine the above response was entered into the MFA device and produced a code of 021589. To finish enrollment the following request must be sent to the service.

PUT /users/00000000-0000-0000-0000-000000000000/secrets/00000000-0000-0000-0000-000000000001/enroll HTTP/1.1
Host: api.demo.goaxr.cloud
Content-Type: application/json
Authorization: jwt f902e78f90827f2.f20978f23v9807039q.2vf9287vf93q879038q27f029q87vf90q2

{
    "token": 021589,
}

If the provided MFA code is correct the service will generate a set of backup codes that can be used to recover the account if future authentication requests fail.

200 OK
Content-Type: application/json

{
    ...
    "codes": [
        "<code1>",
        "<code2>",
        "<code3>",
        ...
    ]
}

Now MFA has been activated on the account! All future password authentication attempts will require MFA validation.