Problem statement
When using the Adaptive MFA feature, it is possible to bypass the functionality so it does not trigger for some scenarios, such as automated testing. Other common potential situations to bypass MFA are during “Refresh Token” flows and “Silent Authentication”.
Symptoms
The adaptive MFA is triggering for their automated tests.
Solution
Adaptive MFA in an Action can be bypassed by including the following line within an if statement:
api.multifactor.enable('none');
The following is an example of this code in Action, where MFA is disabled if the user logs in with a SAML connection but triggers MFA in other login scenarios:
exports.onExecutePostLogin = async (event, api) => {
if (event.connection.strategy === "samlp") {
api.multifactor.enable('none');
} else {
if (!event.user.multifactor || event.user.multifactor.length == 0) {
api.multifactor.enable('any', { allowRememberBrowser: true });
}
}
};
To bypass MFA during a Refresh Token flow, here is another example:
exports.onExecutePostLogin = async (event, api) => {
const protocol = event?.transaction?.protocol;
if ( !(protocol === "oauth2-refresh-token") ){
console.log("Non refresh token flow detected - forcing MFA");
api.multifactor.enable('any');
}
};
Here is an example of bypassing MFA during a “Silent Authentication”’ (please review the configuration to ensure this is appropriate, e.g., Long token/session lifetimes will mean MFA will not be presented to the end user until a user action is required to log back in):
exports.onExecutePostLogin = async (event, api) => {
const prompt = event?.request?.query?.prompt;
if (prompt === 'none')
{
api.multifactor.enable('none');
}
};