Different 2factor authentication depending on user role

Can you have different 2factor authentication methods for different user roles? Example:

Business User → Uses App authentication for extra security on personal data
Simple User → Uses SMS authentication because don’t have sensitive data

Hey @eiras.lucio welcome to the community!

This should be possible using a Post-Login Action and the event/api objects provided - You’ll want to configure this code to your own needs, and absolutely test in your own environment, but 1 possibility might look something like this:

exports.onExecutePostLogin = async (event, api) => {
  // Retrieve roles from event.authorization.roles
  const userRoles = event.authorization.roles;
  
  if (!userRoles || userRoles.length === 0) {
    // Handle the case where there are no roles assigned
    return;
  }

  // If a user has a specific role, enforce the corresponding MFA.
  if (userRoles.includes('admin')) {
    // Challenge admin users with a specific MFA factor
    api.authentication.challengeWith('mfa-factor-for-admin', { 
      // Optionally, provide additional options as needed
    });
  } else if (userRoles.includes('regular_user')) {
    // Challenge regular users with a different MFA factor
    api.authentication.challengeWith('mfa-factor-for-regular-user', { 
      // Optionally, provide additional options as needed
    });
  }
};

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.