I’m trying to figure out how to write an Action (or Rule if necessary) that implements the following logic:
if new device:
require mfa
else if last MFA was more than 7 days ago:
require mfa
The gist: require the user to MFA at least every 7 days, but also capture cases where there’s no evidence of having previously MFA’d from the device/browser in question.
For this, you’ll need to set up a way to store and check for the last time a user was able to authenticate with MFA. I think you could use app_metadata for this.