Multifactor authentication is possible entirely from within the UCAN construction, or via an external provider. This is very close to the common MFA systems seen today: a second party vouches for the validity of a login or other statement. This is mediated by a challenge, via email, SMS, or authenticator application. Once validated, this external party cosigns a UCAN, or aggregate decryption for read access.