Problem statement
This article explains how to prompt for MFA after different amounts of time on a per-user basis.
Solution
The below sample Action shows how a custom app_metadata value (called “mfaDelay” in this example) can be utilized to control user-specific duration between MFA prompts for a given session.
If the user does not have a delay set, it will default to the timeDelay value.
exports.onExecutePostLogin = async (event, api) => {
var timeDelay = 60*60*1000 //default to 1 hour between MFA challenges
if (event.user.app_metadata.trigger_mfa) { //Optional - only trigger MFA for users with trigger_mfa app_metadata flag set to true
if (event.user.app_metadata.mfaDelay) {
//Override default period between MFA challenges with a value in ms from metadata
timeDelay = event.user.app_metadata.mfaDelay
}
const mfaTime = event.authentication.methods.find(({name}) => name === "mfa")
const currentTime = new Date();
if (mfaTime) {
console.log("mfaTime found");
const mfaDateTime = Date.parse(mfaTime.timestamp);
console.log("Elapsed time since last MFA:",currentTime - mfaDateTime);
if (currentTime - mfaDateTime < timeDelay) {
console.log("Insufficient time since last prompt for MFA")
} else {
console.log("Last MFA auth was over timeDelay, force MFA prompt")
api.multifactor.enable("any",{allowRememberBrowser:false});
}
} else {
console.log("No previous MFA record found for session, prompting for MFA")
api.multifactor.enable("any",{allowRememberBrowser:true});
}
}
};
Related Resources
- Overview of Actions
- Another example of using Actions to enforce custom MFA policies
- API object reference for post-login Actions