Question

Multifactor Authentication

0

Summary of QuestionCould you please provide guidance on configuring Multifactor Authentication (MFA) in Mendix? Specifically, I'm looking for steps or documentation on how to set up MFA to send an email-based One-Time Password (OTP), validate that OTP, and then authenticate login. im using mfa for mendix by emixa

asked 2026-02-01

Moses Jebaraj

2 answers

Ahmet Kudu · Answer 1 · 2026-02-01

Hi Moses,

If your users can log in via OIDC/SAML, the cleanest approach is to configure MFA in the IdP (Azure AD/Entra, Okta, Ping, etc.). Mendix then delegates authentication to the IdP, and the IdP handles MFA (including email/SMS/app-based methods depending on your policy). This is the most standard enterprise setup.

If you specifically need MFA inside the Mendix app (for local Mendix accounts), I would recommend using the Multi-factor Authentication For Mendix (MFA/2FA) Marketplace (external) module. It builds on Mendix’s core login/authentication flow and adds an extra verification step. In short, it only creates a user session after username + password and an additional one-time code are validated. It supports common second-factor options such as SMS, email, (Google) Authenticator, and even passkeys, so it’s a solid “ready-to-use” option compared to building the full OTP flow yourself.

----------------------------------------------------------------------------------------------------------------------------------------------------

As a third option, it is possible to implement MFA (email OTP) in Mendix without using an external module, but this requires a fully custom login flow. The basic idea is to first validate the user with username and password, but do not create a session yet. The session is only created after the OTP is successfully verified.

First, you need a persistable entity, for example MFA_Challenge. This entity should store the user identifier (email or username), the hashed OTP, an expiration time (ExpiresAt), an attempt counter (Attempts), and a flag like IsUsed to mark the OTP as single-use. The OTP must never be stored in plain text.

During login, the user enters username and password. In the microflow, the user is retrieved and the password is validated. If the password is correct, the user is still not logged in. Instead, an MFA_Challenge record is created and the OTP flow is started.

Next, a 6-digit OTP is generated, hashed, stored in MFA_Challenge, and given a validity window (for example 5 minutes). This OTP is then sent to the user via email using the Mendix Email Connector or SMTP configuration.

When the user enters the OTP, a second validation step runs. This checks whether the OTP has expired, whether the attempt limit is exceeded, and whether the hashed value matches the stored hash. If successful, the record is marked as IsUsed = true.

After the OTP is successfully validated, a user session is created and the user is redirected to the home page. This ensures that the actual login only happens after the second factor is verified.

From a security perspective, you should at minimum enforce OTP expiry, attempt limits, single-use OTPs, and resend restrictions. It is also good practice to clean up old OTP records using a scheduled event.

Ahmet Kudu · Answer 2 · 2026-02-01

Hi Moses,

Yes, you can prefer to user Emixa MFA that is mostly used with local Mendix username/password login. In this setup, MFA runs after the username and password are checked, but before the user session is created. If you are using SSO (OIDC/SAML), MFA is usually handled by the IdP, so Emixa MFA is normally not needed.

Next, configure the MFA settings from the admin/configuration pages that come with the Emixa module. Choose “Email OTP” as the method, set the OTP length (usually “6 digits”), expiry time (for example “5 minutes”), maximum attempts, and resend cooldown. Before moving on, make sure email sending works by testing your SMTP / Email Connector.

Then connect MFA to the login flow. The module usually provides a login microflow or “start MFA” / “validate MFA”microflows. After a successful username/password check, the flow should create an MFA challenge and send the OTP email, but should not create a user session yet. The session must only be created after the OTP is entered and validated.

When the user enters the correct OTP, the module finishes the login by creating the user session and redirecting the user to the home page. This ensures that login only succeeds after both steps are completed.

Finally, test simple edge cases like expired OTP, wrong OTP, resend OTP, user without email, and opening the OTP page in multiple tabs. Most MFA issues come from email setup problems or creating the session too early.