Use Rule to disable MFA

Hello,

I can see it’s possible to add a rule to conditionally enable mfa on a per request basis (as detailed here).

This requires the global “Require Multi-factor Auth” setting to be set to “Never”.

That all makes sense, we can trigger the MFA flow on a request by request basis using some arbitrary logic in a rule, which is very useful.

However, is it possible to do the opposite i.e. set the global “Require Multi-factor Auth” setting to be set to “Always” instead and then disable the MFA flow for select users instead?

Thanks,
Lee

1 Like

Any update on this post?

Thanks

I had this same problem. Finally found some documentation here: Customize Adaptive MFA with Rules

I ended up implementing a rule like the following:

function disableMultifactorForSpecificUsers(user, context, callback) { 
  if (user.app_metadata && (user.app_metadata.skip_mfa === true)) {
    console.log(`${user.email} skipping MFA`);
    context.multifactor = {
      provider: 'none',
    };
  } 
    
  callback(null, user, context);
}

And then under the specific users that are allowed to skip mfa added a "skip_mfa":true item to the app_metadata so that we control who can skip and who can’t. Our primary use case is developers when the sms messages goes beyond 10 per hour for a user, and for the app reviewer user for app store.

I hope this helps,

-jeremy

1 Like

Welcome to the community @copiousfreetime and @lmcmullen - Thanks a bunch for the follow up on this @copiousfreetime :smile:

A quick note for future community users - I’m not positive (yet) that there is an equivalent to this using Actions, but going to route mentioned requiring multi-factor auth set to “Never” in Security → Multi-Factor Auth.

exports.onExecutePostLogin = async (event, api) => {

 //skip mfa for users with skip_mfa flag in app_metadata
  const userAppMetaData = event.user.app_metadata;
   if (!(userAppMetaData.skip_mfa == true)) {
    console.log(`user ${event.user.email} mfa enforced`)
    api.multifactor.enable(`any`);
   } else {
     console.log(`user ${event.user.email} skipped mfa`)
   }
};

Hope this helps!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.