Possibility to Enroll in Email MFA or OTP
- Multifactor Authentication (MFA)
- MFA Factors
As explained in the Email MFA not Visible for Users Enrolled article, Email MFA is not considered a true additional factor, so more secure factors will default to being enrolled when available.
- If triggering MFA in an Action using "api.multifactor.enable('any')", the user will be prompted to enroll with OTP for a first-time login (or the most secure factor enabled on the tenant). On return visits, however, a button to Try another method is made available, where, provided the user has verified their email previously, they can select email
- Use the Custom MFA Selection feature in Actions to provide more control over what factor is enrolled or challenged and when:
It would also check to see if they had enrolled OTP and enroll this if it was missing. Once enrolled with both OTP and Email, on return visits, the user would be presented with a selection dialogue:
exports.onExecutePostLogin = async (event, api) => {
if (!event.user.email_verified) { //Optional check to skip MFA for unverified emails, allows Email MFA to be enrolled before OTP
console.log("User not verified, skipping MFA");
return; //End action early
}
if (event.user.enrolledFactors.length) {
//User has an existing enrolment, challenge it:
console.log("Enrolled in:",event.user.enrolledFactors);
api.authentication.challengeWithAny(event.user.enrolledFactors.map(m => ({type: m.type})));
if (!event.user.enrolledFactors.some(m => m.type === 'otp')) { //If OTP is not yet enrolled, enroll it now
api.authentication.enrollWithAny([{type: 'otp'}]);
}
} else {
console.log("No enrolment yet")
api.authentication.enrollWithAny([{type: 'otp'}]); //Email cannot be specified for enrolment due to it being automatic for verified emails
}
}
