How to trigger MFA init for a specific user?
I want users in my application to setup MFA (u2f, TOTP, email/sms) . However, I don't want to implement it on my own, and I'd prefer to use the existing UI that I see after first login.
In other words, ideal flow is:
1. User presses a button in my app "setup the MFA", and makes a ZITADEL API call.
2. I log user out
3. User logs in and receives the Zitadels form to setup the MFA.
Q: Why not console?
A: I'd like to show a small amount of functionality, without "Metadata", "Memberships" and "Identity providers"
Q: Why not "Enforce MFA" checkbox?
A: I want to have MFA optional, but allow users to switch it on for themselves at the moment they want.
Q: Why not write it myself?
A: Because docs lack of step by step tutorial how to do it for, for example, U2F and error messages are puzzling.
7 Replies
Hey @lev
https://zitadel.com/docs/guides/integrate/login-ui/mfa
you can find anything here related to MFA integration guide (TOTP, SMS, email, U2F), complete walkthrough with API examples.
When the user clicks “Setup MFA” in your app, call the ZITADEL User API to add the chosen factor.
Lmk if this helps
ZITADEL Docs
Multi-factor authentication (MFA) is a multi-step account authentication which requires to user to enter more than only the password.
Hi @Rajat Singh , thanks for a quick answer. Is it possible, however not to recreate the whole stuff that you guys already built, and just use well-designed elegant pre-existing solution?
Hey @lev
.User clicks “Setup MFA” in your app
→ Your backend calls ZITADEL’s UserService endpoints to start the chosen factor flow:
• POST /v2/users/{userId}/totp
• POST /v2/users/{userId}/otp_sms
• POST /v2/users/{userId}/otp_email
• POST /v2/users/{userId}/u2f
You log the user out
→ Next login session picks up the “pending MFA” and triggers the hosted screens.
User logs in with ZITADEL’s hosted UI→ They see the elegant, branded MFA setup process.
wow, looks like exactly what I wanted!. I'll try and come with my impressions!
Hey, @Rajat Singh . You mention backend. Does it mean that the token must be a service/admin one, not the user one? Because with user token the next login does not trigger anythng
OK, I tried to make a .POST /v2/users/{userId}/totp request with admin's token and it does not trigger the hosted screens. . What am I doing wrong?
Hey @lev
You’re using an admin token, which performs the action on behalf of the user, but doesn’t link the MFA setup to the user’s current session, so ZITADEL won’t show the hosted UI screens.
You need to call /v2/users/{userId}/totp using the user’s own access token (i.e., the token they got when logging in interactively via the browser).
@Rajat Singh , FYI, I finally found a workaround to trigger a MFA setup. I create and immediately reset the OTP_email and then logout the user. This resets the MFA counter and during the login user is suggested to setup MFA.
hi @lev thanks for the update. I was on vacation so didnt see, glad it worked it out