Skip to main content

Multi-Factor Authentication (MFA)

Add an extra layer of security to your Fincept account with email-based multi-factor authentication.

What is MFA?

MFA requires two forms of verification to access your account:
  1. Something you know - Your password
  2. Something you have - OTP code sent to your email
This prevents unauthorized access even if your password is compromised.

When to Use MFA

Recommended For

  • Production API keys
  • High credit balance accounts
  • Enterprise users
  • Shared team accounts
  • Sensitive applications

Optional For

  • Personal testing accounts
  • Development environments
  • Low-usage accounts
  • Guest accounts (not supported)

Enabling MFA

Prerequisites

  • Verified email address
  • Active registered account
  • Valid API key

Enable MFA

curl -X POST https://finceptbackend.share.zrok.io/user/mfa/enable \
  -H "X-API-Key: fk_user_your_key" \
  -H "Content-Type: application/json"
Response: 
{
  "success": true,
  "data": {
    "message": "MFA enabled successfully. You will receive a verification code via email on your next login."
  }
}
MFA takes effect immediately. Your next login will require an OTP code.

Logging In with MFA

Two-Step Login Process

Step 1: Enter credentials 
curl -X POST https://finceptbackend.share.zrok.io/user/login \
  -H "Content-Type: application/json" \
  -d '{
    "email": "[email protected]",
    "password": "SecurePass123!"
  }'
Response: 
{
  "success": true,
  "data": {
    "mfa_required": true,
    "message": "MFA code sent to your email. Please verify to complete login."
  }
}
Step 2: Enter OTP code Check your email for 6-digit code, then: 
curl -X POST https://finceptbackend.share.zrok.io/user/verify-mfa \
  -H "Content-Type: application/json" \
  -d '{
    "email": "[email protected]",
    "otp": "654321"
  }'
Response: 
{
  "success": true,
  "data": {
    "api_key": "fk_user_your_key",
    "message": "MFA verification successful. Login complete."
  }
}

OTP Details

PropertyValue
Length6 digits
Validity10 minutes
DeliveryEmail
Attempts5 max
ResendNot supported (request new login)

Disabling MFA

Requires password confirmation for security: 
curl -X POST https://finceptbackend.share.zrok.io/user/mfa/disable \
  -H "X-API-Key: fk_user_your_key" \
  -H "Content-Type: application/json" \
  -d '{
    "password": "SecurePass123!"
  }'
Response: 
{
  "success": true,
  "message": "MFA disabled successfully"
}
Disabling MFA reduces account security. Only disable if absolutely necessary.

Troubleshooting

OTP Code Not Received

Check:
  1. Email spam/junk folder
  2. Email address is correct in profile
  3. Wait up to 2 minutes for delivery
Solution: 
# Request new login (generates new OTP)
curl -X POST https://finceptbackend.share.zrok.io/user/login \
  -H "Content-Type: application/json" \
  -d '{"email": "[email protected]", "password": "SecurePass123!"}'

OTP Code Expired

{
  "success": false,
  "message": "MFA code expired"
}
Solution: Request new login - generates fresh OTP valid for 10 minutes.

Too Many Failed Attempts

{
  "success": false,
  "message": "Too many MFA attempts"
}
Solution: Wait 10 minutes or request new login to reset attempt counter.

Lost Access to Email

If you can’t access your email to receive OTP:
  1. Contact [email protected] from registered email
  2. Provide account details for verification
  3. Support will assist with email update or MFA reset

Security Benefits

Protection Against

Even if your password is stolen, attackers can’t access your account without the OTP code sent to your email.
Fake login pages can’t intercept OTP codes sent to your email.
Multiple failed OTP attempts lock the session, preventing automated attacks.
Stolen credentials from other breaches won’t work without email access.

Additional Security Layers

When MFA is enabled:
  • Login attempts logged with IP address
  • Failed OTP attempts tracked
  • Email notification on successful login
  • Session timeout after inactivity

Best Practices

Do’s

  • Enable MFA on production accounts
  • Use strong, unique passwords
  • Monitor login history regularly
  • Keep email account secure
  • Enable email 2FA as well

Don’ts

  • Don’t share OTP codes
  • Don’t disable MFA without reason
  • Don’t use same password elsewhere
  • Don’t ignore suspicious login alerts

Code Examples

Python Login with MFA

import requests

def login_with_mfa(email, password):
    # Step 1: Login
    response = requests.post(
        "https://finceptbackend.share.zrok.io/user/login",
        json={"email": email, "password": password}
    )

    data = response.json()

    if data["data"].get("mfa_required"):
        # Step 2: Get OTP from user
        otp = input("Enter OTP from email: ")

        # Step 3: Verify MFA
        mfa_response = requests.post(
            "https://finceptbackend.share.zrok.io/user/verify-mfa",
            json={"email": email, "otp": otp}
        )

        return mfa_response.json()["data"]["api_key"]
    else:
        return data["data"]["api_key"]

api_key = login_with_mfa("[email protected]", "SecurePass123!")

JavaScript Login with MFA

async function loginWithMFA(email, password) {
  // Step 1: Login
  const loginRes = await fetch(
    "https://finceptbackend.share.zrok.io/user/login",
    {
      method: "POST",
      headers: { "Content-Type": "application/json" },
      body: JSON.stringify({ email, password })
    }
  );

  const loginData = await loginRes.json();

  if (loginData.data.mfa_required) {
    // Step 2: Get OTP from user
    const otp = prompt("Enter OTP from email:");

    // Step 3: Verify MFA
    const mfaRes = await fetch(
      "https://finceptbackend.share.zrok.io/user/verify-mfa",
      {
        method: "POST",
        headers: { "Content-Type": "application/json" },
        body: JSON.stringify({ email, otp })
      }
    );

    const mfaData = await mfaRes.json();
    return mfaData.data.api_key;
  }

  return loginData.data.api_key;
}

FAQs

No, MFA is optional but highly recommended for production accounts and enterprise users.
Currently only email-based OTP is supported. Authenticator app support is planned.
Update your email in profile settings. MFA will automatically use the new email.
Yes, but you’ll need to re-enable it manually. We recommend keeping it enabled.
MFA only applies to login. Once you have your API key, use it directly without MFA for API requests.

Next Steps

Security Best Practices

Learn comprehensive security guidelines

API Keys Guide

Complete API key management guide

Login History

Monitor account activity

Account Settings

Manage your profile and preferences
Need help? Contact [email protected]