Enforce MFA with specific factors using Actions

santiagogdo · September 14, 2023, 8:11am

Hi guys. I’m trying to enforce MFA for users that have enabled the feature in my app. To do this, I’m storing an array in the user metadata with the authentication factors the user has enabled in the app, for example ['sms', 'email', 'otp'].

I’ve checked all the documentation I’ve been able to find related to MFA, and this article in particular.

According to that article, there are two methods available in the Action Post-Login flow that could help me accomplish what I’m trying to do:

api.authentication.challengeWithAny
api.authentication.challengeWith

I’ve tried both methods several times, but they don’t seem to work. When the user logs in, the MFA flow is never triggered, and goes directly to the app.

The only method that triggers the MFA flow so far is api.multifactor.enable('any'), however this method triggers the MFA with the factors available at tenant level (with SMS as the main factor), which doesn’t work for what I’m trying to accomplish.

I also saw some discrepancy in the documentation because on the article I mentioned, the first example is this:

api.authentication.challengeWithAny([{ type: 'sms'}, { type: 'push-notification' }]);

And then, later on it uses ‘phone’ instead of ‘sms’:

api.authentication.challengeWithAny([{type: 'otp'}, {type: 'phone'}]);

However, at the top of the articles, before the examples, it clearly shows the name for each factor, which coincides with the documentation for the post-login api object.

I’ve tried all I could think of but didn’t have any luck. Am I missing something?

This is my action’s code:

exports.onExecutePostLogin = async (event, api) => {
  if (event.transaction?.protocol === "oauth2-refresh-token") {
    return;
  }

  const enabledFactors = event.user.user_metadata.mfa_enabled_factors;
  // Check if the user has opted-in for MFA
  if (event.user.user_metadata && enabledFactors && enabledFactors.length > 0) {
    try {
      const factors = enabledFactors.map((factor) => {
        if (factor === 'sms') {
           return {
             type: 'phone',
             options: {
               preferredMethod: 'sms'
             }
           }
         }

        return {
          type: factor
        }
      })

      api.authentication.challengeWithAny(factors)
    }
    catch (error) {
      console.log(error)
    }
  }
}

Additionally, I’m not sure if it’s relevant, but I’m using passwordless authentication as the primary method for signin in.

Thanks in advance.

nathan.jenkins · September 18, 2023, 8:40am

Hi @santiagogdo , welcome to the Auth0 Community!

Thanks for sharing the information, I believe that this is not working as expected since the feature is currently in Early Access and first must be enabled on your tenant.
To request EA you may need to contact support if you have a paid plan.

If you wait a little longer, the feature is on track to ship to General Availability on the 28th of September, then you should be able to use this feature in your tenant and production.
Keep an eye on the Auth0 Changelog to see the announcement when this feature moves to GA

I hope this helps!

santiagogdo · September 29, 2023, 5:43pm

HI @nathan.jenkins, thanks for your response! Do you know if it did go public? I’ve been watching the Auth0 changelog as well as the twitter account but didn’t see any information related as to whether it was released to the public.

nathan.jenkins · October 2, 2023, 10:26am

Hi @santiagogdo ,

I’ve looked into this and can see there is now a delay on the GA Release. There is not an updated target date, its currently just TBC. We should see a new GA Target Date provided within the next few days, and once I see this I’ll provide an update in this thread.
Thanks!

santiagogdo · October 16, 2023, 2:46pm

@nathan.jenkins Hi Nathan, appreciate the reply! Any news on this?

nathan.jenkins · October 16, 2023, 8:18pm

Hi @santiagogdo , thanks for the reminder

General Availability has a new target date of November 7th, thanks!

sample · November 7, 2023, 10:38pm

Any update on this if its working? I tried today and its still not working

konrad.sopala · January 8, 2024, 12:43pm

Hey there!

As this topic is related to Actions and Rules & Hooks are being deprecated soon in favor of Actions, I’m excited to let you know about our next Ask me Anything session in the Forum on Thursday, January 18 with the Rules, Hooks and Actions team on Rules & Hooks and why Actions matter! Submit your questions in the thread above and our esteemed product experts will provide written answers on January 18. Find out more about Rules & Hooks and why Actions matter! Can’t wait to see you there!

Learn more here!

Topic		Replies	Views
How to correctly enable SMS or email MFA in post-login trigger Help management-api , users	2	36	October 10, 2024
Enforce MFA factor type based on user Role Help mfa , mfa-api	1	506	January 11, 2024
Post-login action and MFA Help mfa , mfa-prompt-new-experience	3	481	May 24, 2024
ChallengeWith method for MFA Help mfa , email-factor	0	839	September 14, 2023
Challenge the User for MFA before a redirection in Actions Knowledge Articles actions , mfa-enablement , forms	1	12	November 1, 2024

Enforce MFA with specific factors using Actions

Related Topics