Overview
The method presented in this article allows a specific user to bypass the MFA challenge, enabling the automated testing/scanning system to access the site without being blocked by MFA. If further customization or different conditions are needed, the rules or actions can be adjusted accordingly.
Applies To
- Multifactor Authentication (MFA)
- Bypass MFA
Solution
NOTE:
- Security Implications: Bypassing MFA for any account reduces security. Ensure that the account used for testing is tightly controlled and monitored.
- Environment: Ensure this rule or action is only active in environments where it is needed (e.g., staging or testing) and not in production.
To achieve this, please see the script below:
exports.onExecutePostLogin = async (event, api) => {
const userEmail = event.user.email;
// Specific user email to skip MFA
const noMFA_UserEmail = "useruser@test.com";
// Determine if MFA should be skipped
const skipMFA = userEmail === noMFA_UserEmail;
// Disable MFA if skipMFA is true
if (skipMFA) {
api.multifactor.enable("none");
}
};