In order to pass HIPAA certification we need to block username-password users that weren’t active for certain time. There is no such option available out of the box in management panel, and there is also no field in
context that could indicate that user passed all auth stages (password, MFA forced conditionally from a rule, other rules that may throw
UnauthorizedError for some other reason)
Am I missing something? Any ideas how to implement this?
We are using
auth0-spa-js with popup on the app side, so there are no redirects (not sure if this is important)