Updating User MFA Details in Post-Login Action Before MFA Challenge

Problem statement

If a Post-Login Action is used to update a user’s MFA information (e.g. phone number for SMS), how will the user’s new phone number be used on the MFA challenge.

Example use-case:
A post-login Action will check with an external database to see if the user has entered their phone number correctly. If not the Action will update the user’s phone number.

Solution

Any changes made to the MFA data in a post-login Action will not be reflected in the ensuing MFA challenge. If a phone number is changed in an Action, the new number will not be used to send the SMS. Trying to change user/mfa data while the user is performing a login is not a recommended action to take.