Problem statement
Trying to enable MFA per user and give users the option to set it up themselves.
The expected workflow is as follows:
- User A wants to enable MFA;
- User B does not want MFA;
- We want to enable MFA only for User A.
- Meanwhile, User B should not be affected at all.
Solution
This could be achieved by:
-
storing an attribute-flag like “should_prompt_mfa: false” in the user metadata. Please see Understand How Metadata Works in User Profiles;
-
using an Action to trigger MFA after checking for the should_prompt_mfa flag in the user profile. Please see Actions Triggers: post-login - API Object and Enforce custom MFA policy.
The proper way to add the “should_prompt_mfa” to the user profile at their request would be to create an API endpoint on the application. This API endpoint should be accessible for the logged-in users, and it should be able to switch the user metadata flag to true or false. This could be presented to the users as a toggle on/off type of button.