Rules around MFA

I am forcing certain users to Enroll MFA if they haven’t done before right after the login with below code

    const assignedRoles = (event.authorization || {}).roles || [];

    const enrolledFactors = event.user.multifactor || [];
    if (assignedRoles.indexOf('somerole') != -1 && enrolledFactors.length === 0) {
      console.log("MFA not completed, triggering");
      // The user has not enrolled for MFA yet, trigger MFA enrollment
      api.multifactor.enable("any");
      return;
    }

And enabled phone message & email factors for MFA.

  1. I would like to force the user to enter only Australia number with +61 as country code (not changable), how ?
  2. After successful enrollment, I have a requirement to call our backend API/SNS topic to update the phone number into our backend systems, how ?

I am always getting confusion with term - guardian, which I though it is a mobile app (we don’t want) which sends OTP as push notification. But it is often mixed with MFA instead of one of the factor of MFA.

For example in the Raw JSON of user who enrolled MFA with phone (sms) showing like this

   multifactor": [
        "guardian"
    ],
    "guardian_authenticators": [
        {
            "id": "email|dev_27nqnaGzL2GpzulV",
            "type": "email",
            "confirmed": true,
            "name": "brusn**********@ewwe.******",
            "created_at": "2022-01-05T23:26:56.000Z"
        },
        {
            "id": "sms|dev_yHikNRONtY8AW9ls",
            "type": "sms",
            "confirmed": true,
            "name": "XXXXXXXX8311",
            "created_at": "2022-01-06T00:53:20.000Z",
            "enrolled_at": "2022-01-06T00:53:38.000Z",
            "last_auth_at": "2022-01-06T00:53:38.000Z"
        }
    ]

What actually it is in Auth0 perspective ?

1 Like