Skip to main content
Privy enables users to set up multi-factor authentication (MFA) for embedded wallets on both EVM networks and Solana. MFA helps secure the embedded wallet by requiring additional verification of a user’s identity when the wallet is used. images/MFA.png Once a user enrolls in wallet MFA, any action that requires use of the embedded wallet’s private key will require the user to complete MFA verification. This includes signing messages, sending transactions, exporting the embedded wallet, and recovering the embedded wallet for use on new devices. Privy currently supports three methods of wallet MFA:
  • SMS, where users verify with a 6-digit MFA code sent to their phone number
  • Time-based one-time password (TOTP), where users verify with a 6-digit MFA code from an authentication app, like Authy or Google Authenticator
  • Passkeys, where users verify with a previously registered passkey, generally through biometric authentication on their device
Once a user enrolls in MFA, it will remain enabled even if you disable MFA for your app. Users must manually disable MFA on their wallets if they wish to remove it.
Adding 2FA to one active session affects and limits signing in other active sessions. If a user has multiple active sessions (e.g., mobile and web), enabling MFA will cause them to be challenged on the other session.
If a user has multiple embedded wallets (e.g. on EVM and Solana, or multiple HD addresses), enrolling in MFA will require MFA for signatures and transactions from any of their embedded wallets.

Granular MFA with Policies

By default, once a user enrolls in MFA, all wallet actions require MFA verification. However, you can implement granular MFA to require MFA only for specific actions while allowing routine transactions to proceed without additional verification. For example, you can:
  • Require MFA only for transactions above a certain amount (e.g., transfers over 1000 USDC)
  • Require MFA for withdrawals while allowing deposits without MFA
  • Apply MFA requirements based on specific tokens, contracts, or actions
This is achieved by combining MFA with wallet policies and authorization keys, giving you fine-grained control over when MFA is required.
Learn how to implement granular MFA in our Granular MFA recipe.