Back to all products

    Smart MFA. Not MFA everywhere.

    Your system should know when to challenge and when to step aside. Authaz evaluates risk on every action and only prompts MFA when the context demands it.

    Three real decisions

    See what the system actually does

    Every login and every action runs through the same risk engine. Here is how three common situations play out.

    Low risk

    Employee logs in from home

    Same device, same network, same behavior pattern. The system recognizes everything.

    Trigger

    Password login from known device

    Risk assessment

    Known IP, registered device, regular hours

    Action

    Session granted β€” no MFA challenge

    Smooth login. No friction added.

    Medium risk

    New device detected

    The user's credentials are valid, but the device fingerprint is unrecognized.

    Trigger

    Login from unregistered laptop

    Risk assessment

    New device fingerprint, valid credentials

    Action

    Step-up MFA prompt via TOTP

    One-time verification. Device is remembered after.

    High risk

    Admin deletes a resource

    A privileged action on a critical resource. The system always demands proof.

    Trigger

    DELETE request on production resource

    Risk assessment

    Destructive action, privileged scope required

    Action

    Mandatory MFA β€” short-lived elevated session

    Elevated scope expires after 5 minutes.

    How it works

    Risk tiers drive every decision

    The policy engine evaluates device, network, and action context on every request. MFA is never a blanket rule β€” it is a calculated response to risk.

    Low risk

    Known device + IP + behavior

    No challenge. Primary factor only.

    Medium risk

    New device, location anomaly, or stale session

    Conditional step-up. TOTP or email code.

    High risk

    Destructive action, privileged scope, or explicit policy

    Mandatory MFA. Short-lived elevated session.

    Device fingerprinting and IP reputation feed into the risk score automatically β€” no manual rule writing.

    Elevated sessions are short-lived by default, reducing the blast radius of a compromised privileged session.

    SDK integration

    Step-up MFA in a few lines

    Challenge users before destructive actions, then use the short-lived elevation token to authorize the operation.

    step-up-mfa.ts
    import { authaz } from "@authaz/sdk";

// Step-up MFA challenge before a privileged action
const elevation = await authaz.mfa.challenge({
  userId,
  factor: "totp",
  reason: "privileged_action",
  scope: "admin:resources:delete",
  ttl: 300, // elevated session lasts 5 minutes
});

if (!elevation.verified) {
  throw new Error("MFA challenge failed");
}

// Proceed with the privileged operation
await authaz.resources.delete(resourceId, {
  elevationToken: elevation.token,
});

    Security that adapts, not annoys

    Stop forcing MFA on every login. Let the risk engine decide.

    Free up to 2,000 MAU. TOTP is always included. SMS and WhatsApp are usage-based.