Certain customers are quite particular about MFA, and I would like to meet their needs while still enabling strong MFA to everyone possible.
Following the documentation here and here I’ve been able to implement conditional MFA for some users via actions, but the API is limited and stopping MFA from being what the customer wants.
-
The options of
any
,duo
,google-authenticator
, andguardian
(with a recommendation to only use any) is limiting.SMS
andFIDO2-key
are needed options, and every type should be scriptable via actions. - Adding
SMS
orphone
as an option in the actions api would allow users to be set up with only phone as an MFA option. As it stands, if I want to allow any user in a tenant to use a code generator, I cannot in any way support customers who only want to see SMS/phone at MFA registration, and are confused by code generators. - Adding
FIDO2-key
would allow me to require certain users to use a yubikey when signing up/in. It should also allow registration/enrollment on first time signing in with MFA. As it stands I can’t figure out any way to enroll any user into FIDO2 if MFA is being required by an action instead of tenant-wide. -
code-generator
orTOTP
or something should replace the depricatedgoogle-authenticator
that doesn’t let you enroll a backup code.
Customization of MFA has felt like a bit of an afterthought, but with Actions we are close to having all the required parts.