MFA Customization / Flexible Factor Selection Not Compatible with the Non-Interactive Flows

Problem statement

When utilizing the Flexible Factor Selection feature with Resource Owner Password, we encounter the following error in the tenant logs:

MFA required. The post login MFA commands are not compatible with the non-interactive flows.

The Flexible Factor Selection is triggered by an Action with these two methods:

  • api.authentication.challengeWith(factor, options)
  • api.authentication.challengeWithAny(factors)

It’s documented here:

Symptoms

Error in tenant logs

type : mfar
description : MFA required. The post login MFA commands are not compatible with the non-interactive flows.

Cause

As per the article, Customize MFA Selection in New Universal Login customization is only available in the New Universal Login Experience.

Solution

Unfortunately, the Flexible Factor Selection feature is not currently available for WS-Fed, SAML, or non-interactive flows (including the ROPG flow).

The workaround is to suppress the MFA for such flows or trigger the normal MFA using Actions, e.g.:

if(event.transaction.protocol === 'oauth2-resource-owner') {
    api.multifactor.enable(provider, options)
} else {
    api.authentication.challengeWith(factor, options)
}