Headless MFA
Overview
Headless MFA provides API-based 2FA authentication for applications using a headless or decoupled Drupal architecture.
It allows frontend applications to handle authentication independently while Drupal acts as the backend for validating 2FA requests.
Architecture Support
This feature works with:
- REST-based integrations
- Mobile applications
- Single Page Applications (SPAs)
- Progressive Web Apps (PWAs)
How It Works
- Authentication is handled via API calls instead of the Drupal UI
- A customer API key is used to authenticate requests
- The system follows a challenge–response flow
- All communication happens in JSON format
Authentication Flow
- User initiates login from the frontend application
- Request is sent to Drupal via API
- A 2FA challenge is generated (OTP / other method)
- User submits the response (OTP, etc.)
- Drupal validates the response
- On success → authentication is completed
Supported 2FA Methods
- OTP over Email
- OTP over SMS
- OTP over Phone Call
Integration
Frontend applications (React, Vue, Angular, etc.) can implement the complete 2FA flow using API calls without relying on Drupal’s default login UI.