In order to pass HIPAA certification we need to block username-password users that weren’t active for certain time. There is no such option available out of the box in management panel, and there is also no field in user or context that could indicate that user passed all auth stages (password, MFA forced conditionally from a rule, other rules that may throw UnauthorizedError for some other reason)
Am I missing something? Any ideas how to implement this?
We are using auth0-spa-js with popup on the app side, so there are no redirects (not sure if this is important)
Unfortunately this does not work for me. I need to set a value to user_metadata only when user has passed MFA and other rules that may throw. I created a rule to update user_metadata and put it at the end of rules list, and it was executed before passing MFA or after previous rule thrown an error. I looked to user and context objects but seems there is no way to know that user successfully passed previous steps and rules.