Multi-Factor Authentication
:::info Coming Soon This feature is under active development. The design below reflects our planned implementation. :::
Multi-factor authentication (MFA) adds a second layer of security beyond passwords. Aero2 will support multiple second-factor methods that users can configure for their accounts.
Supported Methods
TOTP (Authenticator Apps)
Time-based One-Time Passwords using the standard RFC 6238 algorithm. Compatible with popular authenticator apps:
- Google Authenticator
- Authy
- 1Password
- Microsoft Authenticator
On setup, Aero2 generates 10 recovery codes that the user should store securely. These codes can be used as a fallback if the authenticator device is lost.
WebAuthn / Passkeys
Hardware and biometric authentication using the WebAuthn standard. Passkeys work as both:
- A second factor alongside a password
- A passwordless primary authentication method
Each application gets its own Relying Party (RP) ID based on its subdomain, ensuring passkeys are scoped to the correct application.
SMS OTP
Phone-based verification where a one-time code is sent via SMS. Requires phone number verification during setup. SMS codes are valid for a limited time window.
Per-Application MFA Policy
Each application can configure its own MFA policy:
| Policy | Behavior |
|---|---|
| Off (default) | MFA is not available for users |
| Optional | Users can enable MFA for their own accounts |
| Required | All users must set up MFA before they can sign in |
MFA Challenge Flow
User enters password
The user provides their email and password as normal.
Password verified
Aero2 verifies the password. If MFA is enabled for the user, the flow continues.
Challenge token issued
A short-lived challenge token is returned instead of a full session. This token is only valid for completing the MFA step.
User provides second factor
The user enters their TOTP code, uses their passkey, or enters the SMS code.
Full session created
On successful verification, a full session is created and the user is signed in.