Looks like this is a recurring topic for people, but no good answers.
We’re trying to enforce people to roll into MFA whilst allowing silent auth in spa using new universal login.
If we do that silent auth fails (with mfa required) if people do not select “remember me for 30 days”.
There is this article Configure Silent Authentication but event in our case does not contain mfa in the authentication method list. Also the API call based on the docs seem to only work with google-authenticators, not when SMS is used.
We want to only require MFA on first session, and if user is active silent auth to work
Some of the MFA API functionality wasn’t quite clear but I found a workaround or figured it out what it intends. I think it does not introduce any issues.
exports.onExecutePostLogin = async (event, api) => {
const authMethods = event.authentication?.methods || []
const completedMfa = !!authMethods.find((method) => method.name === 'mfa');
if (!completedMfa) {
// mfa yet to be done. Force FMA.
api.multifactor.enable('any', { allowRememberBrowser: true });
} else {
// skip mfa if mfa auth is already done
api.multifactor.enable('none', {allowRememberBrowser: false});
}
};