Allowed authentication methods

The following is the list of the secondary authentication methods that you can enable to protect enterprise applications.
The authentication methods and devices that you set up on the ​Akamai MFA​ Policies page will impact the authentication options that the users see in their enrollment and authentication prompts.

WebAuthn/FIDO2 security key

Authentication method that uses WebAuthn/FIDO2 hardware security key such as a Yubikey USB token to provide users with cryptographic authentication to protected resources.

See FIDO U2F security key to learn more.


This authentication method is not supported for the Unix PAM and Windows Logon integrations.

FIDO2 phone security key

Authentication method that leverages the ​​Akamai MFA​ mobile app installed on the user's smartphone to pair their mobile device with the browser and establish a secure channel between these two parties. This factor can be used both with or without the ​Akamai MFA​ browser extension to provide users with the increased security of FIDO2 standards and the frictionless user experience of a standard push.

If this authentication factor is enabled, at least one of the following settings must be selected:

  • Without Browser Extension. Provides the best user experience as the end user doesn’t have to install a browser extension to pair their mobile device with the browser and authenticate.
  • With Browser Extension. Browser extension is required to pair the mobile device with the browser and authenticate.

With both options enabled, the extensionless flow will be used if a pairing already exists. If there's no existing pairing, the service checks whether the extension is installed and will use it if it’s present. If the extension isn’t installed and no pairing is detected, the user is prompted to pair their browser using the extensionless flow.

See security key to learn how users can self-enroll their security keys.


This authentication method is not supported for the Unix PAM and Windows Logon integrations.

Push notification

Authentication method that sends a push request with Allow and Deny action buttons to the user's enrolled mobile device. The users can either tap Allow, which allows them to authenticate, or Deny to block an unauthorized access attempt.

See push notification to learn more.

​Akamai MFA​ TOTP

This method sends mobile-generated one-time passcodes to the user's account in the ​Akamai MFA​ mobile app. The user needs to enter the received passcode into the authentication prompt within a determined period of time. With this method, users can sign in without an internet connection.

See ​Akamai MFA​ TOTP to learn more.

Email or SMS OTP

With this authentication method, the ​Akamai MFA​ service generates random numeric or alphanumeric one-time passcodes that remain valid for a single log-in session. Users receive the verification code via SMS or email and submit it in the ​Akamai MFA​ authentication prompt to log in.

Any user who has an email address associated with their account is shown this device card in the authentication prompt if the Authentication Factors policy allows it. These devices don't count towards a user’s enrollment status, requiring them to enroll or associate one non-email device (for example, mobile phone, security key) before being allowed to perform MFA.

User-initiated enrollment of email addresses is not supported. Only administrators or automated provisioning systems (SCIM, EAA) are allowed to set user’s email addresses. Users may only have one email address associated with their account.

See SMS or email OTP to learn more.

Bypass code

It's a user-specific passcode that lets users authenticate when they can't use their enrolled authentication device. The user needs to contact the IT department to request the bypass code and, next, submits the code during the secondary log-in process. Just like email, the bypass code is used as a backup method.


This is a backup authentication method for situations when the user is unable to authenticate with their enrolled mobile device.

See Generate a bypass code and Use the bypass code to learn more.

Magic link (via SMS)

With this authentication method, the user receives a text message with a link leading to the authentication request. When the user clicks the link, they are redirected to a webpage displaying the login request that lets the user confirm their identity.

See Magic link (via SMS) to learn more.

Phone call OTP

Authentication method that uses telephony APIs to call the user's registered phone number, including landlines, and forward the verification code via voicemail.
Upon receiving a voice message with the verification code, the user confirms their identity by submitting the code in the ​Akamai MFA​ authentication prompt.

See phone call OTP to learn more.

Legacy phone

This method lets users enroll a non-smartphone device (including a landline phone) that supports phone calls and SMS authentication methods.

To allow an SMS OTP as an authentication method for a non-smartphone device, you should enable SMS Enabled and Legacy phone.
To allow a Phone call as an authentication method for a non-smartphone device, you should enable Phone call and Legacy phone.

Hardware token TOTP/HOTP

A hardware token is a security device that runs on the algorithm to generate one-time passcodes. Passcodes change constantly at a defined time interval (usually every 30 seconds). To confirm their identity users need to enter the passcodes generated by the hardware token in the ​Akamai MFA​ authentication prompt.

See assign a hardware token to a user and manage hardware tokens to learn more.

Third party authenticator OTP

With this method, you can allow Duo Mobile, Google Authenticator, Microsoft Authenticator, Okta Verify, or any other mobile app that provides TOTP (time-based one-time passcodes) upon scanning a QR code. After the user enrolls the selected app as the third party OTP device in the ​Akamai MFA​ service, they can use OTP codes that they receive in their account in the mobile app to authenticate to protected resources.

See Third-party OTP devices to learn more.