Legacy vs New method
The legacy method for MFA requires you to customise the auth recipes we have to add MFA on top of it. Since it does not use the MFA recipe we have, it's free.
The limitations of using the legacy method are:
- It does not support TOTP, but only email / SMS OTP
- When the end user completes the email / SMS OTP factor, there will be a separate user that's created for that login method which is not linked to the first factor login method for that user. This means that you will see two SuperTokens users for every single end use that goes through the MFA flow.
- It requires several customisations on top of the basic auth setup, which adds scope for error.
When should you use the legacy method?
- If you are not using our Node backend SDK, then you have to use this, since we do not yet support the MFA recipe for non Node SDKs.
- If you are price sensitive and do not want to pay for the MFA recipe then you can use this method. That being said, if you are using our managed service, then depending on your end user's login pattern, the number of MAUs you will be charged for is double (assuming all users complete 2FA each month) than the actual MAU count. This in turn is more expensive than using the MFA recipe.