I am using the webAuth.checkSession method to silently renew the token. It all worked well but when I enabled MFA. the renew failed with the following error {error: "login_required", error_description: "Multifactor authentication required"}
Is there a way to keep the renew feature working with MFA is enabled?
My case is :
User enter username/password and perform MFA Guardian
User logged in successfully and the checkSession to renew token will succeed.
After user logged out they need to perform the MFA Guardian again.
As mentioned in the answer to the question you linked to if you allow end-users to remember their browsers then checkSession will succeed for those that opted-in to that option so technically thatâs a way to have silent authentication working with MFA, however, Iâm guessing your exact requirements are not satisfied by the above. If thatâs the case you should update the question with some more context information about your case; for example, do you want to always bypass no matter user selection or any other things you require.
@jmangelo I have updated my case. All I want is when user has logged in successfully and performed MFA the MFA should be bypass in the renew token. But when user logged out and re-login they need to perform MFA again
As mentioned in the answer when remember browser is enabled and the end-user chooses it then refreshing is possible. Are you having an issue with that or with MFA not being triggered after logout?
My issue is that I want after login successfully(performed MFA) the MFA need to be bypassed regardless the user select âallow browser rememberâ or not when perform Silent Authentication. But when we log-out I want the MFA to be trigger normally.
The part about bypassing MFA regardless of the user selection I donât thinks is possible because you can define a bypass criteria in rules, but to my knowledge thereâs no reliable way in rules to detect if the authentication is being performed based on an existing session (bypass MFA) or based on user inputting credentials (after logout; do not bypass MFA).
what about if i want to use the SMS in MFA this will not allow âremember their browsersâ option .
so i will never be able to renew the token without actual login.
@it4 any luck with refreshing the token silently while MFA enabled, without force login again, i am facing the same scenario
I also have similar requirements for my application and from this thread I can see that I have no way to achieve them.
I am using allowRememberBrowser = true , but I would also like for the users to be able to skip the MFA after successful MFA authentication even if they have not checked the âRemember browserâ box for their current session.
Here is the flow that we have in our application: user signs up and enrolls to MFA (there is no opportunity to check the âRemember browserâ box when enrolling) â user needs to verify their email address via a link in the email â the link brings them to our website â the MFA is prompted again (now with an ability to check the âRemember browserâ box, but having to do it twice is still a bad UX).