> ## Documentation Index
> Fetch the complete documentation index at: https://docs.privy.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Overview

> Multi-factor authentication (MFA) for embedded wallets requiring additional identity verification for signing

**Privy enables users to set up multi-factor authentication (MFA) for embedded wallets on both EVM networks and Solana.** MFA helps secure the embedded wallet by requiring additional verification of a user's identity when the wallet is used.

<img src="https://mintcdn.com/privy-c2af3412/YvGXGsI-T4KAqoan/images/MFA.png?fit=max&auto=format&n=YvGXGsI-T4KAqoan&q=85&s=2ad6a50823b29bacbabd08067f025e0b" alt="images/MFA.png" width="1843" height="1317" data-path="images/MFA.png" />

Once a user enrolls in wallet MFA, **any action that requires use of the embedded wallet's private key will require the user to complete MFA verification.**
This includes signing messages, sending transactions, exporting the embedded wallet, and recovering the embedded wallet for use on new devices.

<Info>
  If a user has multiple embedded wallets (e.g. on different blockchains, or multiple HD addresses),
  enrolling in MFA will require MFA for signatures and transactions from **any** of them.
</Info>

**Privy currently supports three methods of wallet MFA:**

* **SMS**, where users verify with a 6-digit MFA code sent to their phone number
* **Time-based one-time password (TOTP)**, where users verify with a 6-digit MFA code from an authentication app, like Authy or Google Authenticator
* **Passkeys**, where users verify with a previously registered passkey, generally through biometric authentication on their device

<Warning>
  Setting up MFA on one active session will affect and limit signing in other active sessions. If a
  user has multiple active sessions (e.g. mobile and web), enabling MFA in one will cause them to be
  challenged on the other session.
</Warning>

## Policy-based MFA with Policies

By default, once a user enrolls in MFA, **all** wallet actions require MFA verification. However, you can implement **policy-based MFA** to require MFA only for specific actions while allowing routine transactions to proceed without additional verification.

For example, you can:

* Require MFA only for transactions above a certain amount (e.g., transfers over 1000 USDC)
* Require MFA for withdrawals while allowing deposits without MFA
* Apply MFA requirements based on specific tokens, contracts, or actions

This is achieved by combining MFA with [wallet policies](/controls/policies/create-a-policy) and authorization keys, giving you fine-grained control over when MFA is required.

<Info>
  Learn how to implement policy-based MFA in our [policy-based MFA
  recipe](/recipes/policy-based-mfa).
</Info>