Custom MFA using step up API

elciok

I'm evaluating FusionAuth and we need to use a MFA method that is currently not implemented. From your documentation, I know I could use the MFA step up API to implement any custom MFA method and I like how flexible this would be but I'm not sure how our application is supposed to check if a user went through a successful step up.

After a user login I call /api/two-factor/start with a code I generated and then after validating my custom MFA method, I send twoFactorId in a call to /api/two-factor/login. Both calls return 200 with data about the user and tokens. But I don't see any field in the user or claim in the JWT indicating this user went through a successful step up.

Am I misunderstanding how this should work? What my application should do to only authorize "stepped up" users to use an endpoint?

I'm using Community Edition v 1.30.2.

dan

@elciok

There is currently no way to determine if someone has gone through step-up auth via the token. I did just add an issue: https://github.com/FusionAuth/fusionauth-issues/issues/1491 feel free to add comments there.

What you can do is use a JWT populate lambda to add a claim to the JWT if the user has any MFA methods enabled. When you do a step up you'll get a token and you can look at that claim.

HTH