Two-factor Authentication

Vesta’s two-factor authentication (2FA) feature enables the ability to authenticate your users only when needed, which reduces customer friction and requires very limited effort needed on your part. Vesta products that utilize 2FA can issue authentication challenges using a one-time passcode (OTP) delivered to your customer via text, email, or phone call. 2FA initiates the challenge automatically whenever Vesta detects risk signals related to an action.

2FA requires a subscription to Vesta’s Account Protect product.


2FA offers the following benefits:

  • Customer Friendly - Compared to knowledge-based authentication (KBA) or manual review, 2FA provides an easy way for a customers to authenticate their identities.
  • Multi-method - Customers can choose to receive a one-time passcode using email, text, or phone call.
  • Automated - 2FA is automatically initiated when Vesta detects risky account activity and returns a “ChallengeRequired” response.


The actions that can initiate the 2FA workflow described below depend on the Vesta service that you subscribe to. The steps below describe the basic steps your application will take to authenticate a customer’s identity using 2FA:

  1. The customer performs an action that Vesta determines is risky, and Vesta returns a “ChallengeRequired” response. The response includes a URL for the 2FA challenge form.
  2. Display the challenge form URL from the response in an iFrame on your web site or in your mobile app.
  3. The customer selects how they want to receive the one-time passcode: text, email, or phone.
  4. Vesta sends the passcode to the customer using the selected method and displays a field to enter the code in your app.
  5. The customer enters the passcode and taps a submit button.
  6. Vesta send you the status of the challenge and closes the iFrame. Your application then directs the customer to the appropriate flow for the returned status.


To add 2FA to your web or mobile application you must implement the following items:

  • iFrame - When Vesta determines that an action requires customer authentication, Vesta returns a response that includes a URL for the challenge form. Display the URL in an iFrame in your app.
  • Webhook - After your customer completes the authentication process, Vesta will send the results of the authentication to a webhook URL that you specify during onboarding.