Multi Factor Authentication

Duende IdentityServer itself doesn’t implement multi-factor authentication (MFA). MFA is part of the login process in the user interface which is the responsibility of the hosting application. Microsoft provides some general guidelines on how to enable MFA in ASP.NET Core.

MFA hosted in IdentityServer

An IdentityServer implementation can include MFA in its login page using anything that works with ASP.NET Core. One approach is to use ASP.NET Identity’s MFA support.

MFA and external authentication

When using IdentityServer as a federation gateway, interactive users authenticate at the upstream provider. Typically the upstream provider will perform the entire user authentication process, including any MFA required. There’s no special configuration or implementation needed in IdentityServer in this case, as the upstream provider handles everything.