Certain customers are quite particular about MFA, and I would like to meet their needs while still enabling strong MFA to everyone possible.
Following the documentation here and here I’ve been able to implement conditional MFA for some users via actions, but the API is limited and stopping MFA from being what the customer wants.
-
The options of
any,duo,google-authenticator, andguardian(with a recommendation to only use any) is limiting.SMSandFIDO2-keyare needed options, and every type should be scriptable via actions. - Adding
SMSorphoneas an option in the actions api would allow users to be set up with only phone as an MFA option. As it stands, if I want to allow any user in a tenant to use a code generator, I cannot in any way support customers who only want to see SMS/phone at MFA registration, and are confused by code generators. - Adding
FIDO2-keywould allow me to require certain users to use a yubikey when signing up/in. It should also allow registration/enrollment on first time signing in with MFA. As it stands I can’t figure out any way to enroll any user into FIDO2 if MFA is being required by an action instead of tenant-wide. -
code-generatororTOTPor something should replace the depricatedgoogle-authenticatorthat doesn’t let you enroll a backup code.
Customization of MFA has felt like a bit of an afterthought, but with Actions we are close to having all the required parts.