Hello,
I am new to FusionAuth (it's really great!) and I've checked the docs for the API and I can't seem to figure out how to implement the flow for forced MFA activation for a new user.
-
We have the Login API which returns a twoFactorId if the login policy for MFA is set to "force". At this point we don't have an authentication JWT token nor the user id.
-
The activate 2fa API which receives the twoFactorId (from 1?) seems to need the user id in the URL or the authentication token. But at this stage we don't have either.
A workaround for now is to disable the force policy and enforce it from the integrator client application, by checking if the active MFA devices list is empty.
Any ideea what the correct sequence of API calls should be done?