Complete The Actions MFA Library

Certain customers are quite particular about MFA, and I would like to meet their needs while still enabling strong MFA to everyone possible.

Following the documentation here and here I’ve been able to implement conditional MFA for some users via actions, but the API is limited and stopping MFA from being what the customer wants.

  • The options of any, duo, google-authenticator, and guardian (with a recommendation to only use any) is limiting. SMS and FIDO2-key are needed options, and every type should be scriptable via actions.
  • Adding SMS or phone as an option in the actions api would allow users to be set up with only phone as an MFA option. As it stands, if I want to allow any user in a tenant to use a code generator, I cannot in any way support customers who only want to see SMS/phone at MFA registration, and are confused by code generators.
  • Adding FIDO2-key would allow me to require certain users to use a yubikey when signing up/in. It should also allow registration/enrollment on first time signing in with MFA. As it stands I can’t figure out any way to enroll any user into FIDO2 if MFA is being required by an action instead of tenant-wide.
  • code-generator or TOTP or something should replace the depricated google-authenticator that doesn’t let you enroll a backup code.

Customization of MFA has felt like a bit of an afterthought, but with Actions we are close to having all the required parts.

Hey @abatz,

I moved this topic to the feature request category. Please take a moment to upvote it. Thanks!

1 Like