Problem statement
How can we write an MFA Once Per Session Action?
Solution
/* triggers MFA once per session */
exports.onExecutePostLogin = async (event, api) => {
if (!event.authentication.methods.find(({ name }) => name === 'mfa') ) {
api.multifactor.enable("any", { allowRememberBrowser: true });
}
};
The above can be used to avoid prompting a user for multifactor authentication if they have successfully completed MFA in their current session. This is particularly useful when performing silent authentication (prompt=none
) to renew short-lived access tokens in a SPA (Single Page Application) during the duration of a user’s session without having to rely on setting allowRememberBrowser
to true
.