FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Alternate Auth Strategies

    Scheduled Pinned Locked Moved
    General Discussion
    0
    4
    515
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      daniel.barrett
      last edited by

      Can I configure the following auth scenario?

      • user can authenticate through username/password AND MFA

      OR

      • user can authenticate through an application authentication token

      In other words, I want the Application Authentication Token to be a short circuit around MFA if the user has configured any tokens.

      Is this possible? Can anyone think of any workarounds that would accomplish as much?

      1 Reply Last reply Reply Quote 0
      • danD
        dan
        last edited by dan

        Is this possible? Can anyone think of any workarounds that would accomplish as much?

        I don't believe this is possible within the FusionAuth hosted login pages. A user has 2fa enabled or they don't, and the auth tokens follow the same login flow.

        If you wanted to have your application handle passwords (not typically a good idea, but possible), I suppose you could see if a password looked like an auth token (or maybe have a different endpoint) and then turn off, via an API call, the 2fa requirement for a given user. Seems error prone, but possible. Make sure you secure your application well 🙂 if this is a path you choose.

        It seems like you are looking for a way around 2fa, like some of the one time codes that Google provides. If so, here's a discussion on that very topic:
        https://fusionauth.io/community/forum/topic/330/is-it-possible-to-disable-two-factor-without-providing-the-two-factor-code

        That led to a github issue: https://github.com/FusionAuth/fusionauth-issues/issues/871

        Which we're planning to deliver with our MFA overhaul, which is currently planned for the 1.24.0 milestone: https://github.com/FusionAuth/fusionauth-issues/milestone/71 (and will be a feature for our paid editions, in the spirit of transparency).

        --
        FusionAuth - Auth for devs, built by devs.
        https://fusionauth.io

        1 Reply Last reply Reply Quote 0
        • D
          daniel.barrett
          last edited by

          Thanks for the quick reply @dan !

          Our use case is this:

          • We have users that will be able to log in using their username/password (with MFA optionally turned on).
          • Separately, we want to be able to grant programmatic access to these users as well. Programmatic access obviously precludes any ability to do MFA so we were looking for a way around it. We thought the Application Token might be ideal.

          Obviously the presence of the Application Token somewhat reduces the security of the MFA itself. The idea is that we would ask users to treat the Token as such.

          We're willing to work outside the box here if you have any alternate ideas for accomplishing said functionality.

          1 Reply Last reply Reply Quote 0
          • danD
            dan
            last edited by

            You could maintain two user accounts, dan with MFA turned on and dan-api-access with MFA turned off and application tokens. You could then use webhooks to keep their permissions in sync.

            --
            FusionAuth - Auth for devs, built by devs.
            https://fusionauth.io

            1 Reply Last reply Reply Quote 0
            • First post
              Last post