It is a common use case allowing users to optionally enable MFA via settings. This can be achieved using the MFA API, where you can list, activate or deactivate MFA challenges for a user. For example, /mfa/authenticators
lists all the challenges enrolled for that user with their status (active: true/false). With this, we can create a UI to manage these challenges.
Later, we have to write an Action to trigger MFA only for the users that are enrolled in MFA and have an active challenge. The problem is that event.user.multifactor
returns a list of all the challenges enrolled at any time, but there’s no way of knowing if the challenges are active. Due to this, one has to modify the user/app metadata using the Management API to add the information about if the user has a challenge active or not.
Request: Make event.user.multifactor
an array of objects instead of strings, like: [{name: "google-authenticator", active: true}]. Or provide the
active` iinformation in some other way. This would make it much more eaiser to enable this use case.