FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    OTP mixed with external identity providers

    Scheduled Pinned Locked Moved
    General Discussion
    2
    3
    837
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bradley.kite
      last edited by

      Hi there,

      We have a mix of customers - mostly using their own Azure or Okta that we federate with using FusionAuth's Identity Providers and associated reconcile lambdas.

      In this case, MFA is taken care of with the external identity provider.

      However, we sometimes create user accounts manually within FusionAuth, and in this scenario, we want to force MFA (OTP in particular) to be used.

      At the Application level, I can force MFA to be used, thereby making sure that all users enrol the MFA OTP token at login time, but this also means that federated Azure customers then have to have a 3rd layer of authentication.

      There seems to be no configuration setting requiring MFA at the user level, rather than application level - thereby making the user enrol the OTP token regardless of the application they are accessing.

      How do we resolve this?

      Thanks

      Brad.

      R 1 Reply Last reply Reply Quote 0
      • R
        reply @bradley.kite
        last edited by

        It sounds like you have a complex identity management setup with various types of users accessing your applications. To address the requirement of enforcing MFA (OTP) at the user level rather than the application level, you might need to adjust your approach slightly. Here's a suggestion on how you could resolve this:

        1. Customize User Registration Process: When creating user accounts manually within FusionAuth, you can customize the registration process to include mandatory enrollment of MFA (OTP). This could involve adding a step during account creation where users are prompted to set up MFA, and they can't proceed without completing this step.

        2. Use FusionAuth Hooks or Lambda Functions: FusionAuth provides hooks or Lambda functions that allow you to execute custom logic during various events, such as user registration. You can leverage these hooks to enforce MFA enrollment for manually created user accounts. For example, you could write a custom hook that checks if the user account was created manually and if so, requires MFA enrollment before allowing the account creation process to complete.

        3. Communicate MFA Requirement Clearly: Ensure that users are aware of the MFA requirement during the account creation process. Provide clear instructions on how to set up MFA and why it's necessary for their security. This helps in ensuring user compliance with the MFA enrollment process.

        4. User Education and Support: Offer resources and support to assist users in setting up MFA. This could include documentation, tutorials, or even direct support channels where users can get assistance if they encounter any issues during the MFA enrollment process.

        By implementing these steps, you can enforce MFA (OTP) at the user level for manually created accounts within FusionAuth, while still allowing federated Azure customers to access your applications seamlessly without requiring an additional layer of authentication.

        1 Reply Last reply Reply Quote 0
        • R
          reply
          last edited by

          This post is deleted!
          1 Reply Last reply Reply Quote 0
          • First post
            Last post