How can I force user to configure least 2 MFA methods or specific MFA methods

RT.

If I’d like to force user to use SMS, but user was using OTP.

And api.authentication.enrollWith does not work when I tested in the Authentication Profile, I guess it should bring me to the page of configuring SMS, but it does nothing.

Thanks in advance.

Hi @jun.wu,

Welcome to the Auth0 Community!

Yes, you should be able to force the user to configure at least 2 MFA methods.

One solution is to use the api.access.deny() method to block the user from logging in until they have configured at least 2 MFA methods.

To keep track of how many methods a user has enrolled, you can either append this information in the user_metadata or find it by calling the Management API’s GET /api/v2/users/{id}/authentication-methods endpoint.

I hope this helps!

Cheers,
Rueben

Hi @rueben.tiow ,
thanks for your comment.

I’d like to use the customized login flow to do it.

If I’d like to navigate to enrollment page again, even user already had a MFA method.
Is there any api could I use in Actions? Like api.access.deny().

Regard,
Jun

Hi @jun.wu,

Yes, using the Post-Login action in your login flow should work.

Now, you won’t be able to redirect your user back to the enrollment page directly. But you can log them out so the session doesn’t stay “stuck” from being denied, and then you can allow them to reauthenticate and enroll with the other MFA factors. You will want to inform your users that they are being denied access until they have enrolled with at least 2 MFA factors.

To log them out, here is an example:

exports.onExecutePostLogin = async (event, api) => {
  if (!event.user.email_verified) {
    api.redirect.sendUserTo('https://TENANT_DOMAIN/v2/logout', {
      query: { returnTo: 'WHITELISTED_LOGOUT_URL' }
    });
  }
};

Cheers,
Rueben

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.