This documentation is for WSO2 Identity Server 5.1.0 . View documentation for the latest release.

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


Table of Contents

About multi-factor authentication

Multi-factor Authentication (MFA) creates a layered defence and makes it more difficult for an unauthorized person to access a target such as a physical location, computing device, Web service, network or database. If one factor is compromised or broken, the attacker still has at least one more barrier to breach before successfully breaking into the target.


With a combination of two or more factors from the above three, the user is authenticated. A basic example is when withdrawing money with an ATM card; the card is the possession factor and the pin number is the knowledge factor.

MFA in mobiles

In this scenario, the mobile phone acts as the possession factor. This has become a trendy solution in the current market due to advancements in technology to accommodate different types of users.


The advantage of this method is that there is no need for an additional, dedicated token, as users tend to carry their mobile devices around at all times anyway. Some professional two-factor authentication solutions also ensure that there is always a valid passcode available for users. If the user has already used a sequence of digits (passcode), this is automatically deleted and the system sends a new code to the mobile device. And if the new code is not entered within a specified time limit, the system automatically replaces it. This ensures that no old, already used codes are left on mobile devices. For added security, it is possible to specify how many incorrect entries are permitted before the system blocks access.

About FIDO

With the rapid growth of the internet, more and more services are available for use by enterprises and organizations. However, username and password based authentication still plays a major role in authenticating users, and it is essential to use a strong password to keep your computer, data and accounts safe. However, if you are like most users, you will find that it is challenging to remember a strong password, especially if you have to change it once in awhile.


FIDO provides two user experiences to address a wide range of use cases and deployment scenarios. FIDO protocols are based on public key cryptography and are strongly resistant to phishing.

Figure 1: UAF and U2F.

Universal Authentication Framework (UAF)

UAF involves a password-less experience with the following key processes.

  • The user carries the client device with the UAF stack installed.

  • The user presents a local biometric or PIN.

  • The website can choose whether to retain the password.

Universal Second Factor (U2F)

U2F focuses on the 2nd factor experience and has the following key processes.


U2F Tokens provide cryptographic assertions that can be verified by relying parties. Typically, the relying party is a web server, and the cryptographic assertions are used as second-factors (in addition to passwords) during user authentication. U2F Tokens are typically small special-purpose devices and FIDO Client is a web browser communicate between token and relying party.

U2F protocol operations

The following are the two main processes that take place when using FIDO U2F.


  1. Setup: In this phase, the FIDO Client contacts the relying party and obtains a challenge. Using the challenge (and possibly other data obtained from the relying party and/or prepared by the FIDO Client itself), the FIDO Client prepares a request message for the U2F Token.
  2. Processing: In this phase, the FIDO Client sends the request message to the token, and the token performs some cryptographic operations on the message, creating a response message. This response message is sent to the FIDO Client.
  3. Verification: In this phase, the FIDO Client transmits the token's response message, along with other data necessary for the relying party to verify the token response, to the relying party. The relying party then processes the token response and verifies its accuracy. A correct registration response will cause the relying party to register a new public key for a user, while a correct authentication response will cause the relying party to accept that the client is in possession of the corresponding private key.

Basic authentication process flow of U2F

The following figure provides the complete authentication process flow when authenticating using FIDO U2F.


Figure 3: Authentication process flow for U2F

Configuring multi-factor authentication using FIDO

The instructions in this section enable you to successfully set up multi-factor authentication using the WSO2 Identity Server.

Setting up an account for MFA

  1. Log in to the WSO2 Identity Server end user dashboard.
  2. Navigate to the My Profile section by clicking the associated View Details button.
  3. Click Manage U2F Authentication.
  4. You can add a new U2F device to your account and if needed you can remove it.


    Tip: You can have multiple devices associated to your account.