Custom Action to Decide on MFA Frequency

Overview

This article provides a sample code for deciding whether to prompt a user for MFA and decide on the MFA frequency. Also, is it possible to configure “Remember this Device”?

Applies To

  • Custom Actions
  • MFA Frequency
  • Remember this Device

Solution

The period for remembering the device is not customizable at the moment. Refer to Customize Multi-Factor Authentication Pages for more details. There is a backlog item to address this feature request. However, there is no ETA yet. To see this functionality considered in a future release, please submit a feature request using this form.

Depending on your business use case, there can be different ways to decide on the MFA frequency.

The last authentication timestamp can be checked by accessing the ‘event.authentication.methods’ object and updating the script for 24 hours validation script (Actions Triggers: post-login - Event Object). The ‘methods’ array will have values as below:

[
  {
    "name": "pwd",
    "timestamp": "2022-02-07T00:22:54.822Z"
  },
  {
    "name": "mfa",
    "timestamp": "2022-02-07T00:28:02.882Z"
  }
]

Here is an example Action that looks at the last time the user completed MFA for their current session to decide whether MFA should be prompted for again:

exports.onExecutePostLogin = async (event, api) => {
    var timeDelay = 60*60*1000 //default to 1 hour between MFA challenges
    if (event.user.app_metadata.trigger_mfa) { //Optional - only trigger MFA for users with trigger_mfa app_metadata flag set to true
      if (event.user.app_metadata.MFAdelay) {
        //Override default period between MFA challenges with a value in ms from metadata
        timeDelay = event.user.app_metadata.MFAdelay
      } 
      const mfaTime = event.authentication.methods.find(({name}) => name === "mfa")
      const currentTime = new Date();
      if (mfaTime) {
        console.log("mfaTime found");
        const mfaDateTime = Date.parse(mfaTime.timestamp);
        console.log("Elapsed time since last MFA:",currentTime - mfaDateTime);
        if (currentTime - mfaDateTime < timeDelay) {
          console.log("Insufficient time since last prompt for MFA")
        } else {
          console.log("Last MFA auth was over timeDelay, force MFA prompt")
          api.multifactor.enable("any",{allowRememberBrowser:false});
        }
      } else {
        console.log("No previous mfa record found for session, prompting for MFA")
        api.multifactor.enable("any",{allowRememberBrowser:true});
      }

    }
};

The output of the console logs can be seen using the Real-time Webtask Logs Extension.

NOTE: This sample is provided as a starting point and should not be considered production ready. Please test thoroughly before applying to a production environment.

NOTE: As the sample stands currently, this will be tied to the user’s session lifetime, so custom MFA delays beyond the tenant’s absolute session lifetime limit will not be possible. Refer to Configure Session Lifetime Settings.

Review the following video for additional details.