MFA Authentication Support

Overview

Our authentication system is built using Stytch, leveraging passwordless login methods including:

• Magic links (email-based login)

• Google Sign-In (OAuth)

Because these methods do not use passwords, they differ from traditional authentication models.

How Authentication Works

Magic Links

When you log in via a magic link:

• A secure link is sent to your email

• Access is granted only if you can open that link

• This verifies real-time control of your email inbox

Google Sign-In

When you use Google Sign-In:

• Authentication is handled by Google

• Any security measures (including MFA) configured on your Google account apply automatically

MFA (Multi-Factor Authentication) Considerations

Traditional MFA is typically defined as:

• Something you know (e.g., password)

• Something you have (e.g., phone, authenticator app)

Since our system is passwordless, this exact model does not apply directly.

However:

• Magic links provide proof of access to your email account at the time of login

• Google Sign-In inherits Google’s MFA protections (if enabled)

Compliance Perspective

For many security frameworks, this approach satisfies the intent of MFA requirements, as it ensures:

• Verified identity through a trusted channel (email or Google)

• Protection against unauthorized access

Security & Compliance Requests

If your organization:

• Requires specific MFA controls for compliance (e.g., SOC 2, ISO 27001)

• Needs documentation for internal security review

Please reach out and provide the requirement. We will:

• Map our current authentication model to your requirement, or

• Flag any gaps and evaluate them for our product roadmap