Announcing FusionAuth 1.68 - Intelligent Kamfa

FusionAuth 1.68.0 puts its considerable brain power to the task of optimizing MFA challenge logic.

Authors

Published: June 30, 2026


Say hello to FusionAuth 1.68.0! In honor of our significant improvements to FusionAuth's MFA challenge flow, we've decided to name this one the Intelligent Kamfa, after a particularly brainy species of fish:

an image of a red kamfa fish with the caption 'intelligent kamfa presented an mfa challenge', image credit to redditor u/TorontoFishGuy

an image of a red kamfa fish with the caption 'intelligent kamfa presented an mfa challenge', image credit to redditor u/TorontoFishGuy

This version includes a new way of configuring MFA, new MFA challenge webhooks, a new variable for email and message templates, hashing for account recovery codes, custom names for TOTP authenticators, and updates for each of our SDKs.

Intelligent MFA#

At this point, everyone on the internet is all too aware of multi-factor authentication (MFA) challenges. You provide your username and password. You get a text message, an email, a code in your authenticator app, or even a phone call. Type in the code, and you get access to your account. It works, but it can be tedious, especially if your authentication provider requires MFA challenges often.

Currently, FusionAuth provides an incredibly flexible method of triggering MFA challenges using the MFA Requirement Lambda. But not all of our users want to write and test custom JavaScript just to decide when to challenge users for a second factor. That's why we created Intelligent MFA, our own 'secret sauce' of variables that detect high-risk situations and automatically challenge users for an MFA code.

Many of our users spend a lot of time tweaking their configurations to minimize these MFA challenges. Logging in from your usual browser on your usual computer at your house? No need for a challenge. Logging in from an unknown browser on a never-before-seen mobile device in a foreign country? Yep, we're gonna need a code.

intelligent kamfa

intelligent kamfa

If you already use the MFA Requirement Lambda, have no fear: you can still use your custom logic. In fact, you can incorporate these new signals into your lambda using the context object:

  • BotDetected - The browser library signals that the user is a bot.
  • BlocklistedIp - The IP address is blocklisted.
  • DormantAccount - The user hasn't logged in for a long time.
  • DormantPassword - The password hasn't been changed for a long time.
  • ImpossibleTravel - The distance between recent logins exceeds the possible value a person can travel within the allotted time frame.
  • RecentIdentityChange - The user recently changed their identity.
  • RecentPasswordChange - The user recently changed their password.
  • SuspiciousUserAgent - The user agent is suspicious.
  • UnrecognizedDevice - The device has not been recognized.
  • UntrustedDevice - The device is not trusted.

To learn more about rolling out Intelligent MFA in your FusionAuth instance, see the Intelligent MFA documentation.

MFA Challenge Webhooks#

To support Intelligent MFA, we have added three new MFA lifecycle webhooks:

BaseUrl Variable#

Email and message templates can now build links using the new baseUrl variable, instead of hard-coding a URL.

Hashed Recovery Codes#

FusionAuth now hashes MFA recovery codes at rest using salted-pbkdf2-hmac-sha256, the same algorithm used by default for password hashing. Existing recovery codes will continue to work without interruption. This keeps user recovery codes as secure as possible. However, this security comes with some trade-offs:

  • When importing users via the Import Users API with plaintext recovery codes, FusionAuth will now hash each code during import. This could increase the time required to complete large imports containing many users with recovery codes. To avoid this overhead, you may pre-hash recovery codes before import and provide twoFactor.recoveryCodeEncryptionScheme and twoFactor.recoveryCodeWorkFactor alongside the pre-hashed values in twoFactor.recoveryCodes. For more information, see the Import Users API.
  • The Retrieve Recovery Codes endpoint (GET /api/user/two-factor/recovery-code/{userId}) (deprecated since 1.64.0), now always returns an empty list. Because recovery codes are now hashed at rest, they can no longer be retrieved in plaintext after creation. If you need to provide a user access to their recovery codes, use the Generate Recovery Codes API (POST /api/user/two-factor/recovery-code/{userId}) to generate a new set.

Custom Names for Two-Factor Methods#

Users can now specify a custom name when adding a two-factor method. This helps to disambiguate during MFA method selection and management. You can rename existing methods using the API or self-service.

SDKs#

Together with this FusionAuth release, we are releasing the following new SDK versions:


We also fixed a large number of bugs: for a full list, take a look at entries marked with the fix category in the release notes.

Thanks again for using FusionAuth! And if you happen to own a kamfa fish, remember: it might be more intelligent than you think.

More on release notes