I have a webapp where the user can access resources that need stronger authentication levels than just email/password. If a user accesses those I check whether he has already logged in with a second factor. If not, I redirect him to authenticate again, using the same parameters as before but with an additional acr_values=aal2 parameter. The user gets prompted for his mfa code but beforehand he has to type in his email/password, although he already provided those. Is it possible to just prompt for the second factor in this case? If so, how do I do that?
That’s not possible. If you’re using Lock with the default configuration, though, your user should see this screen:
This way, they don’t have to type the username/password again, just click the button and they’ll move on to the next step.
Ok, I can work with that. I also can think of cases where you would want that behavior.