TESTNET
Markets
Trade
Lending Vaults
More
User Docs Developer Docs Sdk API Docs Help
Welcome to Polyester
Concepts
Overview
Creating an Account
Authentication Methods
Turnkey
Smart Wallets
Dashboard
Account Security
MFA
Asset Lifecycle
Supported Assets
Deposit Funds
Withdraw Funds
Transfer Funds
Inventory and Supply
Overview
Trading Fees
Base vs Quote
Lending Fees
Withdrawal Fees
Liquidation Fees
Rebates
Overview
On-chain Visibility
Overview
Supplying
Borrowing
Collateral
Interest
Liquidations
Overview
Trades
Candles
Order Book
Data Delivery
Notifications
Appearance
Localization
Sound Effects
Overview
Architecture
Benchmarks
Matching Engine
Settlement
Safeguards
Overview
Validators
Gas Abstraction
Layer-1 Benchmarks
Audits
Read Pre-compiles
Create Invite Code
Managing Links/Codes
Claiming Rewards
Auto-Convert Rewards
Overview
Create/Delete subaccounts
Permissions
Roles
Audit Logs
Unified Trading Account
Spot Trading
Order Types
Tools
Privacy
Custom Layouts
Overview
Asset Wrapping
Vaults
Zipper Security
What Is TEE?
  1. Accounts
  2. /
  3. MFA

MFA

MFA

MFA (Multi-Factor Authentication) adds a second layer of identity verification for sensitive account actions. Logging in grants access to the account, but withdrawals, transfers, and security changes all require an additional proof of identity before they proceed.

MFA is optional to set up, but certain actions on Polyester require it before they can be performed.


Supported Factors

Two factor types are available. Multiple factors of each type can be active at the same time, and both types can be active simultaneously.

Passkey The most secure option.

Uses Face ID, Touch ID, Windows Hello, a laptop PIN, or a hardware security key such as YubiKey or Google Titan. Passkeys are phishing-resistant. They are bound to the user's device or hardware and cannot be intercepted or replicated by a phishing site.

Authenticator App Generates a 6-digit time-based code that refreshes every 30 seconds.

Works with 1Password, Authy, Google Authenticator, and any compatible TOTP app. In the authenticator app, the account appears as Polyester Exchange: [username].

Tip
When multiple factors exist, the user can choose which one to use for any given step-up prompt.

Recovery Codes

Recovery Codes

During initial MFA setup, 10 single-use recovery codes are generated automatically. These codes can be used to authenticate if the primary factor is unavailable. Store them offline in a secure location.

Recovery codes can be regenerated from Settings at any time, which requires step-up verification and invalidates the previous set.


Setup and Adding Factors

Location: Account menu → Settings → Security

Initial Setup

Initial setup When no MFA is configured, two options are presented: add a passkey or add an authenticator app. Completing either one enables MFA on the account and generates the 10 recovery codes.

Adding More Factors

Adding more factors Once MFA is set up, additional factors can be added by clicking 'Add method' in Settings. Step-up verification with an existing factor is required before a new one can be added.


Actions That Require MFA

The following actions require fresh MFA verification every time, regardless of how recently MFA was completed:

  • Withdrawals
  • Transfers
  • Inviting or removing subaccount members
  • Changing subaccount policy
  • Creating or deleting API keys
  • Changing API key policy
  • Modifying withdrawal whitelists
  • Deleting an MFA factor
  • Regenerating recovery codes
Trading and API key session do not require MFA.
All trading actions (placing, canceling, and amending orders) and automated workflows using API keys are exempt.

Removing MFA Factors

MFA cannot be fully removed once enabled. If a user attempts to remove their only factor, the system requires a replacement to be added first before the existing one can be deleted.

Removing a factor always requires step-up verification using the existing factor being removed.

No Recovery Path If All Factors Are Lost
If access to all MFA factors and all recovery codes is lost, there is no recovery path. Polyester cannot reset or bypass MFA. All MFA-gated actions, including withdrawals, transfers, and key management, become permanently inaccessible. Store recovery codes securely offline.
Previous

Account Security

Next

Asset Lifecycle

  • Supported Factors
  • Recovery Codes
  • Setup and Adding Factors
  • Actions That Require MFA
  • Removing MFA Factors