So what happens after 2FA has been enabled? To better explain how 2FA works, let’s start by recapping the registration experience in Hosted Login v1. In Hosted Login v1, you can create a new account in one of two ways:
- By supplying an email address and password. This is known as a “traditional” registration.
- By logging on to a social login provider such as Facebook or Twitter, and by using an existing account with that provider as your Identity Cloud account. After you’ve logged on to your social provider, you’re then required to supply your email address (as well as any other required attributes) before your account is actually created.
Regardless of how your account is created, you’ll be logged on immediately after the account is created. In addition, you’ll be sent an email address verification email similar to this:
To verify your email address, just click the link in the email verification message.
Now, let’s compare this to the user registration process in Hosted Login v2 (or, more correctly, the registration process with 2FA enabled). Like Hosted Login v1, you can create a new account using either traditional registration or social registration. In this case, however, you aren’t immediately logged on after clicking the button to create that new account. Instead, an access code (a six-digit random number) is sent to the email address you supplied during the registration process. In addition to that, an Access Code Required screen is displayed:
You must retrieve the verification code emailed to you, type that code into the Enter Access Code field, and then click Continue. Only then will you be logged in, and only then will you be issued an access token.
In case you’re wondering, the email sent to you looks something like this:
Note. Can you change the wording for these messages? At this point in time, no: this is something your Identity Cloud representative needs to help you with. However, there are some additional API endpoints (currently in development) that will give you this capability.
Two things to keep in mind here:
- You have 5 minutes in which to supply your access code; that’s because codes expire after 5 minutes. If you wait too long, or if you enter an invalid code, registration will remain stalled. If that happens, just click Resend Access Code and request a new code.
Incidentally, the default access code lifetime (5 minutes) is not configurable.
- During registration, access codes are only sent by using email. After an account has been created, however, you’ll have the option of having codes sent either by email or by text message. See Two-Factor Authentication and User Logins for more information.
- An Introduction to Two-Factor Authentication
- Enabling and Disabling Two-Factor Authentication
- Modifying the traditionalRegistrationForm and the socialRegistrationForm Forms
- Two-Factor Authentications and User Logins
- What Happens if a Two-Factor Authentication Session Gets Interrupted?
- What If You Have a Verified Mobile Number But Not a Verified Email Address?