Skip to main content

Not all MFA methods are created equally: what authentik supports (and why)

· 8 min read
Jens Langhammer
Jens Langhammer
CTO at Authentik Security Inc

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta, Active Directory, and Auth0. Authentik Security is a public benefit company building on top of the open source project.

Many of the high-profile security breaches of the 2010s involved hackers gaining access to username and password pairs. Before multi-factor authentication (MFA) was commonplace, these breaches effectively gave bad actors the keys to the kingdom, since people tend to reuse passwords across platforms and there was no second line of defense against attacks.

Today we have a lot more options for additional authentication steps, which we’ll explore below, while also taking a look at the choices we have made for authentik.

What is multi-factor authentication?

MFA is a security method that requires users to provide two or more different forms of identification to access an account or system. This method combines something the user knows (like a password), something they have (such as a mobile device or security token), and/or something they are (like a fingerprint or facial recognition).

Requiring multiple authentication factors makes it much more difficult for unauthorized users to gain access, even if one factor is compromised.

A (brief) history of MFA

Passwords were first introduced as a single, primary factor for authentication in the 1960s. Early implementations of second factors were developed in the ’80s and ’90s, with RSA introducing the first password-generating key fob in 1986, but a wider variety (and widespread use) only took off in the 2000s. Smartphones opened up new options for receiving authentication codes via SMS or email. As devices became more advanced, biometric authentication methods using fingerprints and facial recognition were added.

Single Sign-On (SSO) solutions, which allow users to securely access multiple applications with one set of credentials, emerged as early as the 1990s with Microsoft’s Active Directory. SSO really gained traction with the great cloud migration of the 2010s, as a way of addressing the challenges of authenticating users across both on-premises and cloud-based applications.

Now, modern SSOs further enhance security around access control by providing a wide range of MFA or Two-Factor Authentication (2FA) methods for employees to choose from when verifying their identity to access company systems, such as receiving codes via SMS, using an authenticator app, security keys, biometrics, or email verification.

MFA in authentik

Authentik is an open source identity provider, supporting all the common authentication factors you would expect. Over the years, and even in this most recent release, we have added more and more MFA options to authentik. Let's take a closer look at each of these factors:

1. TOTP

TOTP (Time-Based One-Time Passwords) has been around for a long time and is widely supported. Unique numeric one-time passwords (OTP) are generated, for example, by Google Authenticator or Authy, with a standardized algorithm based on the current time. TOTP codes are available offline—handy when employees are traveling.

In authentik, you can add a stage to your login flow, to force the requirement of MFA during log in. Authentik admins can configure how many digits should be used for the OTP token. We also provide stages to prompt users for an email address, a static token, or a passkey as a login requirement. Let’s take a closer look at the options in authentik.

2. Static tokens

Static tokens are a set of recovery codes that you download and save in the event that you lose access to your primary authentication factor. They can be used as a backup to TOTP.

3. SMS

While receiving a code via SMS is not the most secure (SMS messages are not encrypted and mobile numbers are vulnerable to SIM swapping), SMS is still a common fallback, so authentik does offer it as an option. You can add another layer of security by limiting phone numbers to a specific region code.

4. WebAuthn

WebAuthn is one of the newer authentication methods that is often used for managing Passkeys, which authenticates a device rather than a user’s identity. This eliminates the need for authentication with a password or a second factor like a one-time password. A device can be registered and authenticated with the user’s biometrics such as Face ID or a fingerprint, or with a defined Passkey. The advantage of this method is that it is more convenient for end users, and critically, isn’t vulnerable to exploitation due to data breaches. WebAuthn is currently the only authentication type you can use as a primary factor in authentik. Authentik admins can choose to restrict the acceptable device types (e.g. to ensure only FIPS-compliant devices are used) or require a removable device such a YubiKey for an additional authentication step.

5. Duo

With Duo authenticator, you can enable push notifications to a user’s device as a second factor. This is handy for some protocols like Radius that don’t have native support for entering an additional factor. There are some workarounds, like for TOTP or SMS, in the password field you can enter your password, followed by a colon and the OTP:

Username: alicebob

Password: password:OTP

But this native solution isn’t the smoothest user experience, so Duo is a great alternative allowing users to confirm a login attempt. Eventually we’d like to develop our own solution for push notifications, so that our customers don’t have to pay for a Duo plan as well.

6. Endpoint

Another more recent development, Endpoint integrates with Google Chrome to allow authentik to validate from which device a user is accessing authentik. This enables you to make policy decisions like bypassing 2FA if a user is logging in from a corporate-managed device, or adding another authentication requirement if it detects the firewall is not enabled. Endpoint currently only supports Google Chrome, but we want to build a lot more options around this in the future.

7. Email address

We have just released, in our 2025.2 version, the option to send an email with a code as a second factor. Admins now have the ability to configure the option for users to use their email address as an authenticator, and then use that address to receive one-time passwords.

Mix and match for defense in depth

For an even stronger defense, you can mix and match some combination of the authentication factors, with policies to account for different scenarios. This is part of what’s known as ‘defense in depth’.

For example:

  1. Require a Yubikey for a group of users to access certain applications.
  2. Check the ID to make sure it’s a secure device being enrolled and used.
  3. For some applications, require an additional, FIPS-compliant YubiKey.

We built the above functionality for one of our large customers, and it shows how granular you can get by adding in layers of factors and different access paths for different users. We’ve seen some organizations rolling out new releases and using passkeys to manage the rollout by checking if a user is in a "passkey trial group" when authenticating. That is, if the user is in the trial group they can proceed with a passkey; anyone else must authenticate with a different factor.

It’s really up to you how you want to configure your MFA requirements. In a corporate environment, do you want to enable automated account recovery by email verification, by MFA? You might not want to have recovery tokens at all, and simply have employees call the help desk if they lose access to their authenticator.

While we’re not too opinionated about what methods you support or policies you set up, we do try to make it difficult to shoot yourself in the foot (for example, you have to download your recovery codes before being able to continue with set up).

Reliable authentication is more important than ever

Beyond data breaches, phishing and social engineering are still among the biggest threats to your organization’s security. Google Cloud’s Cybersecurity Forecast 2025 anticipates that bad actors will increasingly use AI and LLMs to develop and scale more convincing attacks. Authenticated devices can make your security posture more robust, since it’s much harder for attackers to steal a physical device than obtain a one-time password.

Choosing an SSO provider that supports a wide variety of factors for MFA allows you to strike a balance between security and ease of use for employees. Additional measures such as session duration, privileged accounts, and role-based access control help to limit the blast radius in the event of an attack.

If you’re looking for an SSO provider that’s flexible and easy to configure, check out authentik. Whether you’re a homelab user or looking for an enterprise solution, we’d love to work with you. If you have any questions you can reach us on GitHub, Discord, or via email to [email protected].

Rebecca Dodd contributed to this post.