spec checked
OWASP Multifactor Authentication Cheat Sheet
Documents MFA factors, authenticator app and push options, SMS and email caveats, passkeys, recovery codes, lost-factor recovery, remember-device controls, risk-based prompts, factor change protection, and user notification.
Pattern Decisions This Source Supports
| Pattern | Supported decision | Required contract | Claim note |
|---|---|---|---|
| Two-factor authentication | Choose two-factor authentication when the user must satisfy an additional factor after a primary credential, SSO return, passkey flow, risk signal, new device, or sensitive action. | The challenge appears only when the server requires additional verification and the protected action remains blocked until success. | OWASP supports MFA factor choices, recovery codes, lost-factor recovery, remember-device controls, risk-based prompts, factor change protection, and notifications. |
Evidence Role
This source is treated as spec evidence. Use it to validate the decision rules above, not as a visual style reference.
Publisher: OWASP Cheat Sheet Series. Last checked: .