authaz / products / mfa│ step-up engine · live
p99 18msedge 47 regionsuptime 99.997

MFA, everywhere
where the value is.

TOTP, WebAuthn, push, SMS, email — every factor. Step-up at the route, action, or risk-score level. The friction lives where the value does.

Join the waitlist →Read the docs
risk-engine · POST /v1/billing/delete
livereq_01HZ8K3M
— RISK · INPUTS
userval@acme.comactionbilling.deleteresourceorg_acmelast factorpassword · 41m ago
— SIGNALS
devicemacbook · trusted 47dlow0.2ms
geoSan Francisco, USlow0.3ms
asncomcast · recurringlow0.2ms
time09:14 local · usuallow0.1ms
velocity4th sensitive call · 2mmid0.4ms
routePOST billing.deletehigh0.2ms
VERDICT — STEP UP
Fresh proof required before destructive action.
webauthntotp
— USER SEES
VERIFY · AUTHENTICATORrefreshes 18s
835—912
ACCEPT
94.2%
MEDIAN
7.1s
30d
1,841
policy: require for billing + member-mgmt · edge-evaluated
The pitch

MFA shouldn't be everywhere. It should be somewhere.

— THE PITCH
3
moves we made
Always-on MFA hurts everyone. Authaz lets you put strong factors only where the value justifies them.
01

Every factor, one interface

TOTP, WebAuthn passkeys, push, SMS, email, backup codes. Add a method without a migration.

one SDK · six factors · zero state machines
02

Step-up, not always-on

Require fresh MFA at sensitive routes — not at every login. Define inline, evaluate at the edge.

declared as requireFresh() · per-route, per-action
03

Risk signals you don't code

Geo, device, velocity, route — Authaz combines them into a score. You set the threshold; we route the user.

p99 18ms · 47 edge regions
Factors

Six methods. Mix and match per tenant.

Defaults at the platform, overrides per org. Acme requires WebAuthn; Forge requires nothing yet. Same code path, different policy.

TOTP

Authenticator apps — Google, 1Password, Authy.

rfc 6238

WebAuthn

Passkeys, security keys, Touch ID, Windows Hello.

fido2 · platform

Push

One-tap approval from your own mobile app.

native sdk · ios + android

SMS · OTP

Falls back when nothing else is enrolled. Rate-limited, geo-fenced.

twilio · vonage

Email · OTP

For low-risk surfaces or device recovery. Tokens expire in 10 minutes.

postmark · ses

Backup codes

10 single-use codes for the day someone loses their phone.

argon2id · single-use
The mechanics

Step-up MFA, made trivial.

— 01

Score every request, gate the dangerous ones.

Authaz reads device, geo, IP, route, and behavior — produces a risk score — and challenges only when the score crosses your bar. New device + sensitive route → step up. Everyday read → no friction.

  • signals from device + geo + ip + route + velocity
  • tunable thresholds per route
  • edge-evaluated · no extra hop
devicemacbook · trusted 47dlow
geoSan Francisco, US (home)low
iprecurring asn · comcastlow
time09:14 local · usuallow
routePOST /v1/billing/deletehigh
velocity4th sensitive call · 2mmid
→ step-up required · totp or passkey
— 02

Enrollment that finishes itself.

Hosted enrollment for every factor, themed to your brand. Users finish in under 90 seconds median. We track drop-off, you get the report.

  • hosted or embedded React component
  • recovery + backup codes built in
  • cohort dashboard for adoption
ENROLL · STEP 2 / 3
Scan with your authenticator
Or paste the secret manually below.
JBSW Y3DP EHPK 3PXP
I've added it →
— 03

One line in the route, not a refactor.

Drop requireFresh at the top of any handler. Define which factors are acceptable, how recent the proof must be, and what to do on failure.

  • per-route · per-action · per-resource
  • configurable max-age
  • declarative, not state-machine
app/billing.tsstep-up
await authaz.mfa.requireFresh({ factor: ["webauthn", "totp"], max_age: "5m", on_failure: "redirect", }); // gets here only on a fresh, strong second factor await db.org.delete(orgId);
Spec

The fine print, up front.

Factors
TOTP (RFC 6238) · WebAuthn / FIDO2 · push · SMS · email · backup codes
Step-up
per-route · per-action · per-resource · risk-driven
Risk signals
device · geo · IP · ASN · velocity · route · time · custom
Enrollment
hosted page · embedded React SDK · admin-pushed
Recovery
backup codes · trusted contact · admin reset · device reactivation
Adoption telemetry
enroll · challenge · success · fail · per cohort
Hosting
auth.your-domain.com · or embedded
Pricing model
flat per active user · all factors included
Pairs with

One platform. Every primitive.

Every Authaz product shares the same primitives — sessions, policies, audit, tenants. Pick what you need today; add the rest when you do.

01 · AUTHENTICATION FLOWS

Authentication Flows

Password, magic code/link, and social login out of the box.

Read more →
02 · ADMIN & DASHBOARD ACCESS

Admin & Dashboard Access

Authentication that works for back-office and internal tools.

Read more →
03 · RBAC & PERMISSIONS

RBAC & Permissions

Role-based access controls for customer and admin surfaces.

Read more →
Explore all products →
Get started

Strong factors. Where they earn their keep.

Step-up MFA, risk-aware, edge-evaluated. Friction only when the value justifies it.

Join the waitlist →Read the docs