I can see it’s possible to add a rule to conditionally enable mfa on a per request basis (as detailed here).
This requires the global “Require Multi-factor Auth” setting to be set to “Never”.
That all makes sense, we can trigger the MFA flow on a request by request basis using some arbitrary logic in a rule, which is very useful.
However, is it possible to do the opposite i.e. set the global “Require Multi-factor Auth” setting to be set to “Always” instead and then disable the MFA flow for select users instead?
And then under the specific users that are allowed to skip mfa added a "skip_mfa":true item to the app_metadata so that we control who can skip and who can’t. Our primary use case is developers when the sms messages goes beyond 10 per hour for a user, and for the app reviewer user for app store.
A quick note for future community users - I’m not positive (yet) that there is an equivalent to this using Actions, but going to route mentioned requiring multi-factor auth set to “Never” in Security → Multi-Factor Auth.
exports.onExecutePostLogin = async (event, api) => {
//skip mfa for users with skip_mfa flag in app_metadata
const userAppMetaData = event.user.app_metadata;
if (!(userAppMetaData.skip_mfa == true)) {
console.log(`user ${event.user.email} mfa enforced`)
api.multifactor.enable(`any`);
} else {
console.log(`user ${event.user.email} skipped mfa`)
}
};