Problem statement
How to use enrollWith
and challengeWith
via the Action to force users to enroll into a new factor if they already enrolled in one other?
Solution
If the user is already enrolled into one factor, let’s say phone
, the enrollWith
command will fail as the user must verify the existing factor before enrolling an additional factor. Here is a sample Action script that shows the correct sequence:
exports.onExecutePostLogin = async (event, api) => {
console.log(`Action started`);
const alreadyEnrolled = event.user.enrolledFactors;
console.log(`Check if the user already has any MFA enrollments`);
if (alreadyEnrolled.length > 0) {
console.log(`The user already enrolled in some MFAs. Needs to pass a challenge.`);
api.authentication.challengeWithAny([
{ type: 'phone' }, { type: 'push-notification' }, { type: 'email' }, { type: 'otp' }
]); // here we ask the user to verify the existing MFA
const enrolledInOTP = (event.user.enrolledFactors || []).filter(f => f.type === 'otp').map(f => ({ type: f.type }));
if (enrolledInOTP.length === 0) { // here we check if the user is enrolled into OTP
console.log(`The user is not enrolled in OTP`);
api.authentication.enrollWith(
{ type: 'otp' }
) // here we invite the user to enrol into OTP
}
} else {
console.log(`The user doesn't have any MFAs`);
api.authentication.enrollWithAny([
{ type: 'phone' }, { type: 'push-notification' }, { type: 'email' }, { type: 'otp' }
]) // here we allow the user to enrol into one of the factors listed above
}
};
Please also review this article for more information Customize MFA Enrollments in New Universal Login.