Hi Dan, thank you so much for taking the time to look into this!
We want to use this in a Node.js application, so the user is signed in normally and we specify the MFA API endpoint with the enroll scope. There’s no MFA required error or MFA token issued at this point.
The documentation for the MFA API gave me the impression there are two ways to go through this flow:
- Hit an MFA required error and enroll from there for the first factor a user adds
- Trigger enrollment for a fully authenticated user to add additional factors
I’m working under the assumption that number 1 is only possible if the user has no factors enrolled yet, as enrolling a new factor every time MFA is required would mean you can basically skip the MFA factor… How would that work when enrolling a second factor, say a user enrolls OTP first and then SMS later?
If number 2 is not possible, I’d really appreciate a suggestion on how to allow users to set up MFA in a self service dashboard. Would we have to write a rule that triggers an MFA required error whenever the enroll scope is requested and work from there?