Problem statement

This article explains how to prompt for MFA after different amounts of time on a per-user basis.

Solution

The below sample Action shows how a custom app_metadata value (called “mfaDelay” in this example) can be utilized to control user-specific duration between MFA prompts for a given session.

If the user does not have a delay set, it will default to the timeDelay value.

exports.onExecutePostLogin = async (event, api) => {
    var timeDelay = 60*60*1000 //default to 1 hour between MFA challenges
    if (event.user.app_metadata.trigger_mfa) { //Optional - only trigger MFA for users with trigger_mfa app_metadata flag set to true
      if (event.user.app_metadata.mfaDelay) {
        //Override default period between MFA challenges with a value in ms from metadata
        timeDelay = event.user.app_metadata.mfaDelay
      } 
      const mfaTime = event.authentication.methods.find(({name}) => name === "mfa")
      const currentTime = new Date();
      if (mfaTime) {
        console.log("mfaTime found");
        const mfaDateTime = Date.parse(mfaTime.timestamp);
        console.log("Elapsed time since last MFA:",currentTime - mfaDateTime);
        if (currentTime - mfaDateTime < timeDelay) {
          console.log("Insufficient time since last prompt for MFA")
        } else {
          console.log("Last MFA auth was over timeDelay, force MFA prompt")
          api.multifactor.enable("any",{allowRememberBrowser:false});
        }
      } else {
        console.log("No previous MFA record found for session, prompting for MFA")
        api.multifactor.enable("any",{allowRememberBrowser:true});
      }

    }
};

Related Resources

• Overview of Actions
• Another example of using Actions to enforce custom MFA policies
• API object reference for post-login Actions