During signin, If the identity logging in meets a set of criteria and does not have a verified email, we want to perform a form of MFA (i understand it isn’t truly MFA), where we send an OTP to their email. If the user produces the OTP, we want to set the verified email status and then allow them to log in.
This example showed us how we could trigger other forms of MFA given a set of criteria. However, this page claims that you cannot use MFA for this particular purpose, as it requires the email to be verified to leverage MFA.
We also noticed that there are many examples of the user simply being denied access when their email is not verified. This won’t work for the user experience. Additionally, for security reasons, we want to try to ensure that the person authenticating is the same person verifying their email. Because of this we want to use the code from their email in the current flow, rather than a unique link.
How can we go about doing this? Is it viable via a post login action with some form of MFA enabled strangely? Or will we have to do a redirect to a custom page