This article details how to write an MFA Once Per Session Action.

• Action
• Multi-Factor Authentication (MFA)
• Single Page Applications (SPA)

When creating an action, select "Choose a template", and search for "Require MFA once per session" under the tag "POST-LOGIN".

This gives the following template:

exports.onExecutePostLogin = async (event, api) => {
    // if the array of authentication methods is valid and contains a method named 'mfa', mfa has been done in this session already
    if (
        !event.authentication ||
        !Array.isArray(event.authentication.methods) ||
        !event.authentication.methods.find((method) => method.name === 'mfa')
    ) {
        api.multifactor.enable('any');
    }
};

The action will check if MFA has been used to authenticate and skip it if it has.