Certain customers are quite particular about MFA, and I would like to meet their needs while still enabling strong MFA to everyone possible.
The options of
guardian(with a recommendation to only use any) is limiting.
FIDO2-keyare needed options, and every type should be scriptable via actions.
phoneas an option in the actions api would allow users to be set up with only phone as an MFA option. As it stands, if I want to allow any user in a tenant to use a code generator, I cannot in any way support customers who only want to see SMS/phone at MFA registration, and are confused by code generators.
FIDO2-keywould allow me to require certain users to use a yubikey when signing up/in. It should also allow registration/enrollment on first time signing in with MFA. As it stands I can’t figure out any way to enroll any user into FIDO2 if MFA is being required by an action instead of tenant-wide.
TOTPor something should replace the depricated
google-authenticatorthat doesn’t let you enroll a backup code.
Customization of MFA has felt like a bit of an afterthought, but with Actions we are close to having all the required parts.