Larzous
Larzous22h ago

MFA vs 2FA lifetimes

MFA Descriptions: https://zitadel.com/docs/guides/manage/console/default-settings#multifactor-mfa Login Lifetimes: https://zitadel.com/docs/guides/manage/console/default-settings#login-lifetimes Detail Information on Lifetimes: https://zitadel.com/docs/apis/resources/settings_service_v2/settings-service-get-login-settings I'm trying to determine the difference between the "Second Factor Check" and "Multifactor Check" and how I can know when one timer is being used for a given login. When you look at a users settings, all of the second factors are within the MFA? Yet, when I go to the API designations I see different things. So if someone is using a U2F, is this a secondaryFactor of multiFactor? - secondFactors - SECOND_FACTOR_TYPE_U2F - multiFactors - MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION
No description
No description
1 Reply
Ask Inkeep
Ask Inkeep22h ago
Hi @Larzous, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question. Answer ZITADEL distinguishes between Second Factor and Multi-Factor authentication types (1) (2) . Second Factors include : - SECOND_FACTOR_TYPE_OTP (Time-based one-time password/TOTP) - SECOND_FACTOR_TYPE_U2F (Universal Second Factor) Multi-Factors include : - MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION The key difference is that SECOND_FACTOR_TYPE_U2F provides device-based authentication (like Windows Hello, Apple FaceID, Fingerprint, FIDO2 keys, Yubikey) , while MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION requires user verification as part of the authentication process (1) . For the Login Lifetimes (2) : - Second Factor Check Lifetime specifies after which period a user has to revalidate the 2-Factor during the login process - Multi-factor Login Check Lifetime specifies after which period a user has to revalidate the Multi-factor during the login process When a user authenticates with SECOND_FACTOR_TYPE_U2F, the Second Factor Check Lifetime applies . When they authenticate with MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION, the Multi-factor Login Check Lifetime applies . I wasn't able to find explicit documentation on how to programmatically determine which timer is active for a given login session. Here are some relevant sources: 1. ZITADEL Default Settings : Details the MFA configuration options 2. Multi-Factor Authentication (MFA) in a Custom Login UI (1) : Show s the different factor types in API responses ​ To learn more, see the sources I considered: [1] Multi-Factor Authentication (MFA) in a Custom Login UI [2] ZITADEL Default Settings ​ Feel free to tag @Ask Inkeep with additional questions.

Did you find this page helpful?