Multi-factor authentication (MFA) for customer apps

Multi-factor authentication adds a second proof of identity beyond the password. In CIAM the hard part is not the technology, it is applying it to customers who did not ask for friction.

Methods, strongest to weakest

Passkeys / FIDO2 hardware: phishing-resistant. The target to move toward. See passkeys.
Authenticator app (TOTP) or push: strong, low cost, no carrier dependency.
Email OTP: acceptable as a step-up, weak as a primary second factor.
SMS OTP: the most common and the weakest. SIM swap and interception are real. Use it as a floor, not a goal.

Adaptive MFA: prompt only when risk is high

Forcing MFA on every login costs conversion. Adaptive (risk-based) MFA evaluates signals such as new device, unusual location, impossible travel, or a known-breached password, and only challenges when risk crosses a threshold. This is where CIAM platforms differ most. Ask what signals feed the risk engine and whether you can tune the policy.

Step-up authentication

Step-up applies MFA at the moment of a sensitive action (changing a payout account, large transfer) rather than at login. It keeps everyday access frictionless while protecting the operations that matter. Confirm the platform supports per-action step-up, not just per-session.

Buyer checklist

Is adaptive MFA included, or only in a higher tier? See the pricing guide.
Which risk signals are built in, and can you add your own?
Can users enroll multiple factors and self-recover?
Is SMS billed as a pass-through cost on top of the license? (It usually is.)

Frictionless by default, strong when it counts. That is the bar. Use the vendor matcher to filter for adaptive MFA support.