Our clients are requesting to enable MFA, or rather enforce it for their organization.
When the user is coming from db (email & password), it is pretty clear how the flow is supposed to work. My question what happens with the users who authenticate through social media?
Do I need to enforce MFA on the app as well? Does it even make sense?
My assumption is that MFA should be enabled on social media (or Google, for example), and there is no need to enforce MFA on the app at that point.
That’s correct! When MFA is enabled, users who log in using a Social Connection will also be prompted for MFA. There shouldn’t be any additional steps needed to configure MFA for social connection users.
So, if I understand you correctly, if a user has MFA enabled on Google and on our app, he will be prompted MFA verification twice, right? I never saw such a flow in the past, that is why I am asking.
Yes, that kind of flow is possible if the user was not previously authenticated with Google and logging in on a fresh session. In this case, if the user has Google MFA, it would prompt them for it when they log in with the Google social connection. After being redirected back to your app, if MFA is configured, the user would be prompted for MFA again.
Just to clarify, the MFA on your app is separate from the MFA on Google.