MFA Once Per Session Action

Problem statement

How can we write an MFA Once Per Session Action?

Solution

/* triggers MFA once per session */
exports.onExecutePostLogin = async (event, api) => {
	if (!event.authentication.methods.find(({ name }) => name === 'mfa') ) {
       api.multifactor.enable("any", { allowRememberBrowser: true });
    }
};

The above can be used to avoid prompting a user for multifactor authentication if they have successfully completed MFA in their current session. This is particularly useful when performing silent authentication (prompt=none) to renew short-lived access tokens in a SPA (Single Page Application) during the duration of a user’s session without having to rely on setting allowRememberBrowser to true.