During TOTP authentication, Mosaic uses the TOTP authenticator to validate codes that are generated by the authenticator app. Depending on the app settings, a user can register one authenticator per application or multiple authenticators (Admin Portal > B2C Identity or B2B Identity > app > Authentication methods > TOTP > Max TOTPs).
Note
For step-by-step implementation instructions, refer to guides:
Depending on Max TOTPs setting, Mosaic applies custom logic to registering new TOTPs.
- Registers a TOTP unless a user has another active TOTP.
- If there is a TOTP associated with the user, Mosaic can either block registration or override the existing TOTP:
- For journey-based integrations, this behavior is defined in the Register TOTP step > Single-TOTP behavior.
- For API integrations, this behavior is defined by the
allow_overrideparameter in the Register TOTP API call.
- Registers a new TOTP as long as the user has not reached the limit.
- Once the limit is reached, Mosaic will always block registration of new TOTPs.
During authentication, Mosaic validates the passcode against all active TOTPs. The authentication succeeds if it matches any of available authenticators.
Mosaic allows revoking TOTP authenticators via:
- Revoke my TOTP API call
- Revoke TOTP API call
- Revoke my TOTP journey step