FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    MFA / 2FA Force Enrollment

    Scheduled Pinned Locked Moved
    General Discussion
    2
    4
    1.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bradley.kite
      last edited by

      Hi all,

      We have a requirement where a specific application has additional security requirements - specifically that MFA MUST be used before a user can access it.

      Is it possible that the first time a user tries to log in, that they are automatically taken to the page were they need to enrol / configure the Google (or other time-based) MFA app?

      Example:

      User logs in, is redirected to the QR code page where they need to configure Google Authenticator (or another app), then they are allowed access to the SAML application.

      Thanks in advance

      1 Reply Last reply Reply Quote 0
      • danD
        dan
        last edited by

        Hi @bradley-kite ,

        Do you want to do this using the FusionAuth hosted login pages? Or do you want to do it by writing your own integration using the Login API?

        With the former it isn't currently possible (see here and here for more details).

        With the latter, you need to just, at login, check to see if twoFactorEnabled is set on the user when they first sign in. If not, send them to the QR code page.

        --
        FusionAuth - Auth for devs, built by devs.
        https://fusionauth.io

        1 Reply Last reply Reply Quote 0
        • B
          bradley.kite
          last edited by

          Hi Dan,

          Is there a formal / supported way for us to write our own pages & logic and integrate it within the same FusionAuth installation?

          For example, is there a directory we can place additional WAR files in? Or Java API's that we can use to create our own plugins?

          Regards

          Brad.

          1 Reply Last reply Reply Quote 0
          • danD
            dan
            last edited by

            Hiya,

            There's no formal recommendation for how to integrate with FusionAuth, other than the APIs.

            The way I'd build pages and logic that I wanted side by side (like a login page which required two factor auth for a given application 🙂 ) with FusionAuth would be to proxy fusionauth with something like an ALB or nginx. Then have one path for fusionauth login pages and another path for your custom application. You could pull the retrieve the theme CSS and reuse it.

            The only plugins that FusionAuth supports right now are for password importing.

            The java client library of course is available for integration, but if you are building a side by side webapp, I'd use whatever client library makes sense for your environment.

            But perhaps I'm not sure what you're trying to accomplish with this integration. Would you like one deployable artifact or something similar? Can you explain more?

            --
            FusionAuth - Auth for devs, built by devs.
            https://fusionauth.io

            1 Reply Last reply Reply Quote 0
            • First post
              Last post