I had this same problem. Finally found some documentation here: Customize Adaptive MFA with Rules
I ended up implementing a rule like the following:
function disableMultifactorForSpecificUsers(user, context, callback) {
if (user.app_metadata && (user.app_metadata.skip_mfa === true)) {
console.log(`${user.email} skipping MFA`);
context.multifactor = {
provider: 'none',
};
}
callback(null, user, context);
}
And then under the specific users that are allowed to skip mfa added a "skip_mfa":true item to the app_metadata so that we control who can skip and who can’t. Our primary use case is developers when the sms messages goes beyond 10 per hour for a user, and for the app reviewer user for app store.
I hope this helps,
-jeremy