← Back to KB index

Auth

MFA step-up challenge - troubleshooting

Why you saw an MFA prompt and how to resolve common issues.

Why you saw the prompt

Adaptive MFA (Z.306) triggers on:

New device fingerprint
New location
High-risk action (secret rotation, policy publish, approval decision)
Impossible travel (>500km/h since last login)

Methods supported

WebAuthn (FIDO2 passkey) - primary, no codes needed
TOTP (Authenticator app) - fallback
Backup codes - emergency

Common issues

"Authenticator code rejected"

Clock drift > 30s between device and server. Sync time.

"Passkey not found"

Register a new passkey: Mini App -> Settings -> Security -> Add passkey

"Too many attempts"

Lockout after 5 failures. 15-min cooldown. Use backup code or contact admin.

Disable step-up (Enterprise admin only)

Not recommended. If absolutely required:

POST /api/v1/v26/auth/policy
{ "tenant_id": "", "stepup": false }

This rolls back Z.306 hardening - composite score will drop ~3 points.