Hi team, we have following use case:
“We are trying to implement 2FA on our application. User logs in to our web application to do lot of stuffs but the riskier one is changing the bank payment details, hence we are implementing 2FA only while trying to edit payment details. Thus, our flow would be:
1st login - force user to enroll for 2FA using phone number (This way we force everyone to enroll)
2nd login onwards - no OTP asked on login.
Changing payment details from product - Since we forced the user to enroll for 2FA in 1st login, we’ll ask the OTP here directly.”
How is it possible to show 2FA enrollment screen only during the first login and not on the subsequent logins? Is there a way to show the 2FA screen only if the user is not enrolled for 2FA already? Can you help with sample snippets if possible? Thanks
To satisfy the requirement for enrolling MFA on first login you can take a look at utilizing Actions in a number of ways, such as setting a custom field in App_Metadata to determine if a user has set MFA or not, or you could look at the enrolled factors of that user. As an example, I created an action below that would trigger based on number of factors the user has enrolled, (if none, force MFA) This is a post login action and looking at the array of factors, and will update for subsequent logins so will only trigger is a user has no factors. You could of course set this for your specific provider/factor.
To then trigger MFA based on when a user attempts to access certain applications etc. I recommend taking a look through our documentation here, Step-Up MFA. This should help explain the use and configuration of a Rule to achieve your desired auth flow.
Hope this information helps, thanks!