MFA & Step-Up (Web)

When to use this

Use step-up when a signed-in user performs a sensitive action (changing email, exporting data, billing, admin changes). Use MFA setup when a user enrolls or changes their second factor.

Both use the same Web SDK flow — you just start the right flow type and render the step types.

Flow overview

At a glance:

1. Your UI starts a step-up or MFA setup flow.
2. The user completes verification steps in the browser.
3. Your backend exchanges the code and confirms the result.

Start a step-up flow

Call start(email, 'account_manage') when you need extra verification:

start(user.email, 'account_manage');

Then render steps the same way you do for login (select_method, enter_code, enter_totp, await_approval, etc.).

MFA setup steps

MFA enrollment surfaces specific step types you can render in your UI:

• setup_totp — show QR + code input
• setup_sms — collect phone number
• enter_totp — verify authenticator code

You already handle these in the Web SDK quickstart — reuse those components.

Exchange result in your backend

When the flow completes, send authCode + codeVerifier to your backend and verify the result using the Hawcx backend SDK.

Related

• Web SDK Quickstart
• Web API Reference