Communicate how to complete the additional factor(s).

[tjlytle]

Seems like the response should communicate something about how the factor can be completed. Many 2FA / MFA steps require the requester to send a user provided auth code. Some steps are completely out of band (for example, a challenge sent and completed by a known app/device).

Two things should be communicated:

• what the requester needs to do
• the location to use

Using 3XX and 201 as guides, proposed addition:

The response SHOULD include an entity describing how the additional factor(s) can be completed. The URI for completing the additional factor(s) SHOULD be given by the Location field in the response.

[tjlytle]

I think an established format for communicating how to complete the factor(s) is worthwhile, however, it's definitely outside of the scope of the HTTP status code. Perhaps a sibling proposal for an MFA Required type similar to HTTP Problem in terms of flexibility would be beneficial.