I’m building a Single Page Application (SPA) with a custom login form (not using Universal Login). I want to enforce MFA (e.g., TOTP or SMS-based) after users log in.
Based on the documentation, MFA support seems tied to Universal Login. I want to know:
Is MFA not supported at all in embedded/custom login (via /oauth/token with ROPG)?
If not, what’s the correct way to enable MFA in a SPA with custom UI?
Can we implement a hybrid flow: show our custom login UI, then redirect to /authorize to trigger MFA?
I want to provide a secure MFA experience without fully switching to Universal Login. Please suggest the best practice or any workarounds.
Thank you for posting your question. It’s possible to support MFA via /oauth/token with ROPG, but you will need to use the MFA API to achieve this. Here’s a link to our documentation that describes this flow → Authenticate Using the Resource Owner Password Flow with MFA
Alternatively, have you considered using the ACUL (Advanced Customizations for Universal Login)? It will still use the Universal Login under the hood, but allows for far greater customization.