Comment on page
Enhance User Security with HyperID's Two-Factor Authentication
Two-factor authentication (2FA) is a security measure that adds an extra layer of protection to user accounts. It requires users to provide two different types of authentication factors to access their accounts.
2FA can help protect user accounts against a wide range of attacks and comply with regulatory requirements. HyperID integrates 2FA checks into authorization flows, described in the corresponding chapters.
Additionally, HyperID provides an API to request the user's second factor confirmation. It is strongly recommended that service providers use this API to confirm user sensitive actions, especially those that provide access to the confidential data or systems.
HyperID offers the following 2FA methods, in order of priority:
- HyperID Authenticator App: A dedicated app that is linked to the user's personal device and allows the user to use the device's biometric security systems, such as fingerprint recognition, face recognition, or iris recognition as a second factor.
- Time-Based One-Time Passwords (TOTP): A widely adopted and trusted method that provides a time-sensitive, single-use code, enhancing security for user access. Users may use any application of their choice for TOTP (including HyperID Authenticator).
- SMS Code: Serves as a quick and efficient 2FA method for user verification.
- Alternative Email Verification Code: Opt to receive verification codes via alternative email addresses.
With the HyperID API, a client application can:
The typical call sequence involves requesting the list of available 2FA methods for the user, followed by staring 2FA confirmation request using a specific method chosen from the available options. Finally, the application should complete the 2FA verification with the last API call in this sequence. The completion process varies depending on the chosen method:
- For the HyperID Authenticator App, the application should periodically make a 'complete' request to clarify whether the user rejected or confirmed the verification via the Authenticator.
- In the case of TOTP, SMS, and email methods, the application should wait until the user provides the code (retrieved from the corresponding source) and then call 'complete,' forwarding this code to HyperID for verification if it is correct.