MFA Once Per Session Action

konrad.sopala · June 28, 2023, 9:28am

Problem statement

How can we write an MFA Once Per Session Action?

Solution

/* triggers MFA once per session */
exports.onExecutePostLogin = async (event, api) => {
	if (!event.authentication.methods.find(({ name }) => name === 'mfa') ) {
       api.multifactor.enable("any", { allowRememberBrowser: true });
    }
};

The above can be used to avoid prompting a user for multifactor authentication if they have successfully completed MFA in their current session. This is particularly useful when performing silent authentication (prompt=none) to renew short-lived access tokens in a SPA (Single Page Application) during the duration of a user’s session without having to rely on setting allowRememberBrowser to true.

Topic		Replies	Views
MFA Once per Session Action FAQ example seems incomplete Help mfa , mfa-prompt-new-experience	1	1014	August 14, 2023
Behaviour of Require MFA Once Per Session rule/action on native apps Help mfa , mfa-prompt-classic-experience	1	688	January 5, 2024
Disable allowRememberBrowser Help mfa , mfa-api	5	403	May 6, 2024
Configuring MFA Flow to require MFA once per session with Actions Knowledge Articles mfa , extensibility , actions	1	2918	June 14, 2022
Post-login action and MFA Help mfa , mfa-prompt-new-experience	3	443	May 24, 2024

MFA Once Per Session Action

Problem statement

Solution

Related Topics