Unable to trigger required SMS MFA challenge when biometrics is setup

I am unable to trigger a Phone/SMS challenge in my Universal Login flow, if the user is setup for biometrics (webauthn-platform) already. Here is my action, when testing, the console.log statement “Previous SMS MFA authorization expired, prompting SMS MFA” is executed, but I don’t get a SMS MFA enforcement flow. Instead, it still defaults to Biometric check, and on success, just completes. If I choose password, instead of going through biometrics, the SMS challenged does appear. I have other actions in the mix but none of them ever call api.multifactor.enable., only api.authentication.enrollWith.

My requirement is to be able to force SMS MFA check on certain logins, even when biometrics is setup.

If the device does not have biometrics, the flow works as expected, with SMS MFA enforcement every time.

exports.onExecutePostLogin = async (event, api) => {

const factor_sms = {
type: ‘phone’,
options: { preferredMethod: ‘sms’ }
}
const factor_biometric = {
type: ‘webauthn-platform’
}

const canPromptMfa = event.user.multifactor && event.user.multifactor.length > 0;
if (canPromptMfa) {

if (appMetadata && appMetadata.hasOwnProperty("LAST_SUCCESSFUL_LOGIN_WITH_MFA_SMS")) {
  const mfaAuthExpired = true // for testing SMS MFA on strict auth expiration
  if (mfaAuthExpired) {
    console.log("Previous SMS MFA authorization expired, prompting SMS MFA");
    api.authentication.challengeWith(factor_sms);
  }
  else {
    console.log("Previous MFA authorization is still valid");
    api.authentication.challengeWith(factor_biometric);
  }
}
else {
  console.log('No successful SMS MFA login detected, prompting SMS MFA');
  api.authentication.challengeWith(factor_sms);
}

}
};

Hi @henry_csft, and sorry for the late reply!

When Biometrics are enabled, it is not possible to challenge with another MFA before, as described in our docs. This is because Biometrics is considered the most secure MFA challenge.

If you would like this feature to be available, please share your use case with the team in the feature-request section.

Thank you for your question, and let me know if I can assist you further!

Sincerely,
Teodor