Bypass MFA for a Certain User

Overview

The method presented in this article allows a specific user to bypass the MFA challenge, enabling the automated testing/scanning system to access the site without being blocked by MFA. If further customization or different conditions are needed, the rules or actions can be adjusted accordingly.

Applies To

  • Multifactor Authentication (MFA)
  • Bypass MFA

Solution

NOTE:

  • Security Implications: Bypassing MFA for any account reduces security. Ensure that the account used for testing is tightly controlled and monitored.
  • Environment: Ensure this rule or action is only active in environments where it is needed (e.g., staging or testing) and not in production.

To achieve this, please see the script below:

exports.onExecutePostLogin = async (event, api) => {
  const userEmail = event.user.email;

  // Specific user email to skip MFA
  const noMFA_UserEmail = "useruser@test.com";

  // Determine if MFA should be skipped
  const skipMFA = userEmail === noMFA_UserEmail;

  // Disable MFA if skipMFA is true
  if (skipMFA) {
    api.multifactor.enable("none");
  }
};