Navigation

    FusionAuth
    • Login
    • Search
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    1. Home
    2. Tags
    3. mfa
    Log in to post
    • All categories
    • M

      UNSOLVED Friction-free multi application SSO with MFA enabled
      Q&A • mfa sso oauth2 • • mgetka

      1
      0
      Votes
      1
      Posts
      154
      Views

      No one has replied

    • dan

      SOLVED Getting around MFA
      Q&A • mfa login • • dan

      2
      0
      Votes
      2
      Posts
      285
      Views

      dan

      You can't do this with the hosted login pages, but there is an issue to allow/disallow MFA on an application by application basis: https://github.com/FusionAuth/fusionauth-issues/issues/763

      Currently, you can't bypass MFA, but you can do an end run around by using the Login API.

      You can start multi factor with a code you provide: https://fusionauth.io/docs/v1/tech/apis/two-factor/#start-multi-factor

      Then complete the login process with that known code: https://fusionauth.io/docs/v1/tech/apis/login/#complete-multi-factor-authentication .

    • dan

      MFA with the password grant
      Q&A • password grant mfa • • dan

      2
      0
      Votes
      2
      Posts
      322
      Views

      dan

      Yes. While we recommend the Authorization Code grant is almost all situations, there are times when you need the password grant, and FusionAuth's MFA works with it just fine.

      When you begin the password grant, if the user has MFA set up, you won't receive the JWT on successful authentication. Instead you'll receive JSON like this:

      {"error":"two_factor_required","error_description":"The user has enabled two factor authentication.","two_factor_id":"gDNV2_fFtl7vhMV5_5bFJUL3ZyZ5Ine69n0xWDXKEGw"}

      You'll then need to use the provided two_factor_id to complete the MFA as documented here: https://fusionauth.io/docs/v1/tech/apis/login/#complete-multi-factor-authentication

      That might look something like this:

      curl https://local.fusionauth.io/api/two-factor/login -H 'content-type: application/json' -d '{"twoFactorId": "gDNV2_fFtl7vhMV5_5bFJUL3ZyZ5Ine69n0xWDXKEGw", "code": "487156"}'

      At that time you'll get a JWT and normal successful login response.

    • dan

      Can I enforce MFA for my users?
      Q&A • mfa multi factor • • dan

      2
      0
      Votes
      2
      Posts
      308
      Views

      dan

      There is no out of the box solution for this. See https://github.com/FusionAuth/fusionauth-issues/issues/763 for the tracking issue.

      However you can still do this with the API.

      If you are consuming a JWT, you can see if a user has enabled two factor authentication by putting a claim in the JWT using a populate lambda. Look at the user object and if the twoFactor.methods array isn't empty, they have enabled MFA. If you are not using a JWT but instead examining the user object directly, you can look at the same attributes.

      In each case, you should set up a page to allow the user to enable MFA and keep directing them there until they have done so. You can either build your own 'MFA enable' page or, if you have a paid edition, use the themeable account self service pages, as documented here: https://fusionauth.io/docs/v1/tech/account-management/