MFA Once Per Session Action

konrad.sopala · June 28, 2023, 9:28am

Last Updated: Nov 29, 2024

Overview

This article details how to write an MFA Once Per Session Action.

Applies To

Action
Multifactor Authentication (MFA)
Single Page Application (SPA)

Solution

The below can be used to avoid prompting a user for multifactor authentication if they have successfully completed MFA in their current session.

/* triggers MFA once per session */
exports.onExecutePostLogin = async (event, api) => {
	if (!event.authentication.methods.find(({ name }) => name === 'mfa') ) {
       api.multifactor.enable("any", { allowRememberBrowser: true });
    }
};

This is particularly useful when performing silent authentication (prompt=none & response_mode=web_message) to renew short-lived access tokens in a Single Page Application (SPA) during the duration of a user’s session.

allowRememberBrowser must be set to false. f the user chooses to remember the browser for 30 days, the ‘mfa’ value will not be present in the array, and this will conflict with the expected behavior of this action.

See Set allowRememberBrowser Using api.authentication.challengeWith for more details.

Topic		Replies	Views
MFA Once per Session Action FAQ example seems incomplete Help mfa , mfa-prompt-new-experience	1	1044	August 14, 2023
MFA triggers twice post successful login Help login-experience , new-universal-login-experience	2	14	February 6, 2025
Behaviour of Require MFA Once Per Session rule/action on native apps Help mfa , mfa-prompt-classic-experience	1	740	January 5, 2024
Disable allowRememberBrowser Help mfa , mfa-api	5	533	May 6, 2024
Configuring MFA Flow to require MFA once per session with Actions Knowledge Articles mfa , extensibility , actions	1	2974	June 14, 2022

MFA Once Per Session Action

Overview

Applies To

Solution

Related topics