Feature: Support restricting MFA factor types together with allowRememberBrowser: false
Description:
The Actions MFA API splits two capabilities across two methods, with no way to combine them:
-
api.multifactor.enable(provider, { allowRememberBrowser: false })suppresses the “Remember this device” checkbox, butprovideronly accepts'any' | 'duo' | 'google-authenticator' | 'guardian'. There is no way to restrict to a specific subset of factor types. -
api.authentication.challengeWithAny([{ type: 'webauthn-platform' }, ...])restricts to a specific list of factor types, but does not acceptallowRememberBrowser. Callingmultifactor.enable(..., { allowRememberBrowser: false })beforehand does not suppress the checkbox either.
Result: you can either restrict factors or hide the remember-device checkbox, never both.
Either of these would resolve it:
-
Accept a factor-type array as the first argument of
api.multifactor.enable, e.g.api.multifactor.enable(['webauthn-platform', 'webauthn-roaming'], { allowRememberBrowser: false }). -
Accept
allowRememberBrowseras an option onchallengeWith/challengeWithAny(already requested in this thread).
Use-case:
Step-up authentication flows where different operations require different classes of authenticator, with the required class indicated by acr_values. challengeWithAny is the only API that enforces the factor-type restriction, but it leaves the “Remember this device” checkbox visible, which contradicts a policy of re-authenticating every protected operation. Today, the only workarounds are a full ACUL implementation to hide one checkbox, or multifactor.enable('any') with downstream factor-class enforcement that denies users after they complete the wrong factor. Both are disproportionate for what one missing parameter is.