FusionAuth does not currently provide out-of-the-box support for security questions.

If security questions are critical to your solution, you would need to implement this functionality externally and integrate it with FusionAuth using API calls. For example:

Authoring Security Questions: Create a custom interface for users to set up their security questions and store these securely in your system. Using Security Questions During Registration: Extend your registration workflow to include security questions, then associate the responses with the user data stored in your database. Using Security Questions During Credential Recovery: Implement a custom flow to verify the user's identity using security questions before proceeding with a password reset, and use FusionAuth’s APIs to handle credential recovery.

By building this functionality externally and integrating it via FusionAuth’s APIs, you can achieve the desired security question workflow while maintaining compatibility with FusionAuth.

FusionAuth's TOTP implementation is compatible with most popular authenticator apps that follow the industry-standard TOTP algorithm, specifically those using HMACSHA1. While we cannot provide an exhaustive list, here are some commonly used authenticator apps that are known to work with FusionAuth:

Google Authenticator Authy Microsoft Authenticator LastPass Authenticator 1Password

Compatibility Check:

If an authenticator app does not support FusionAuth’s TOTP, it will simply fail to recognize the QR code when scanned.

Documentation Reference:

For more details about FusionAuth's TOTP implementation and requirements, refer to the FusionAuth TOTP Documentation.

Most users should have no issues using any modern TOTP-based authenticator app.

Hi Martin, we updated the feature matrix here: https://fusionauth.io/pricing?step=plan&hosting=self-hosting to make it clear that application specific MFA configuration is an enterprise only feature.

Cheers!

@dan Also, depending on the workflow, if a user does NOT federate but does NOT check "trust this computer" they will NOT establish "MFA trust". Without trust, a user will be prompted to MFA again. Of couruse, With "MFA trust", they will not be prompted. This answer is implicit to this conversation, but MFA policies and FusionAuth center around this check box and trust (with the current edge case of Federation noted).

You can't do this with the hosted login pages, but there is an issue to allow/disallow MFA on an application by application basis: https://github.com/FusionAuth/fusionauth-issues/issues/763

Currently, you can't bypass MFA, but you can do an end run around by using the Login API.

You can start multi factor with a code you provide: https://fusionauth.io/docs/v1/tech/apis/two-factor/#start-multi-factor

Then complete the login process with that known code: https://fusionauth.io/docs/v1/tech/apis/login/#complete-multi-factor-authentication .

Thanks for addressing this use case. Your proposal, however, runs counter to any standardization effort: Long live OAuth! 🙂

A better approach would be to switch from a password grant to the use of authorization codes (instead of passwords) to obtain the access token. This is fully within the OAuth framework and does not introduce fusionauth-specific hacks into the solution.

We have created as simple html page that redirects to the fusionauth authorize endpoint with grant_type=authorization_code. The browser handles MFA as usual. Upon redirecting to this page, the page can harvest the authorization code for the user to copy. From there proceed with into authorization code in place of a password.

PS: Long live OAuth!

There is no out of the box solution for this. See https://github.com/FusionAuth/fusionauth-issues/issues/763 for the tracking issue.

However you can still do this with the API.

If you are consuming a JWT, you can see if a user has enabled two factor authentication by putting a claim in the JWT using a populate lambda. Look at the user object and if the twoFactor.methods array isn't empty, they have enabled MFA. If you are not using a JWT but instead examining the user object directly, you can look at the same attributes.

In each case, you should set up a page to allow the user to enable MFA and keep directing them there until they have done so. You can either build your own 'MFA enable' page or, if you have a paid edition, use the themeable account self service pages, as documented here: https://fusionauth.io/docs/v1/tech/account-management/