ReferenceMFA methods

MFA methods

Multi-factor authentication methods supported by Olympus

Olympus supports four primary MFA methods plus a step-up mechanism.

Method	AAL	Phishing-resistant
TOTP	AAL2	no
WebAuthn	AAL2 (AAL3 with attestation)	Yes
Backup codes	AAL2	no
Email/SMS code	Variable, often considered weaker than AAL2	no
Step-up auth	AAL1 → AAL2 mid-session	-

Recommendation: WebAuthn for primary MFA, lookup-secret as fallback. See Identity, MFA policy.

Resource Owner Password Credentials

Client collected the user's password and POSTed directly to the token endpoint. The user's password is in your app, defeats the point of OAuth2 delegation.

TOTP

6-digit codes generated by an authenticator app (Google Authenticator, 1Password, Authy).