I am unable to trigger a Phone/SMS challenge in my Universal Login flow, if the user is setup for biometrics (webauthn-platform) already. Here is my action, when testing, the console.log statement “Previous SMS MFA authorization expired, prompting SMS MFA” is executed, but I don’t get a SMS MFA enforcement flow. Instead, it still defaults to Biometric check, and on success, just completes. If I choose password, instead of going through biometrics, the SMS challenged does appear. I have other actions in the mix but none of them ever call api.multifactor.enable., only api.authentication.enrollWith.
My requirement is to be able to force SMS MFA check on certain logins, even when biometrics is setup.
If the device does not have biometrics, the flow works as expected, with SMS MFA enforcement every time.
exports.onExecutePostLogin = async (event, api) => {
const factor_sms = {
type: ‘phone’,
options: { preferredMethod: ‘sms’ }
}
const factor_biometric = {
type: ‘webauthn-platform’
}
const canPromptMfa = event.user.multifactor && event.user.multifactor.length > 0;
if (canPromptMfa) {
if (appMetadata && appMetadata.hasOwnProperty("LAST_SUCCESSFUL_LOGIN_WITH_MFA_SMS")) {
const mfaAuthExpired = true // for testing SMS MFA on strict auth expiration
if (mfaAuthExpired) {
console.log("Previous SMS MFA authorization expired, prompting SMS MFA");
api.authentication.challengeWith(factor_sms);
}
else {
console.log("Previous MFA authorization is still valid");
api.authentication.challengeWith(factor_biometric);
}
}
else {
console.log('No successful SMS MFA login detected, prompting SMS MFA');
api.authentication.challengeWith(factor_sms);
}
}
};