I figured out the problem of the SMS message not sending: I had not been persisting the mobile phone number on the user entity.
I'm now making a PATCH call to the user with the mobile_phone after sending the initial code and before enabling 2FA on the user.
Hi @dan just saw this.
Yes, I think I'm all straightened out on MFA for now but I have a followup:
https://fusionauth.io/community/forum/topic/687/signup-registration-flow
It's sort of related to this ticket in that I'm running into a similar set of questions around the Signup/Registration flow that I had here. Namely: your docs list Registration as a series of API calls, but I want to know if there is an out-of-the-box form (like the Login form) that accomplishes the same thing. I haven't been able to find any documentation on it.
I think what was confusing to me about the MFA flow above was that the MFA flow was also documented as a series of API calls. So I built my own forms for collecting the information and submitting the code. That's why I was surprised to find an out-of-the-box MFA code form as part of the login flow once I enabled MFA. There wasn't any mention of this form in the docs. And as I looked, I can't find mention of any forms in the docs. I don't want the same thing to happen to me on the Registration flow, so I want to check first.
Thanks!
Hi @dan just saw this.
Yes, I think I'm all straightened out on MFA for now but I have a followup:
https://fusionauth.io/community/forum/topic/687/signup-registration-flow
It's sort of related to this ticket in that I'm running into a similar set of questions around the Signup/Registration flow that I had here. Namely: your docs list Registration as a series of API calls, but I want to know if there is an out-of-the-box form (like the Login form) that accomplishes the same thing. I haven't been able to find any documentation on it.
I think what was confusing to me about the MFA flow above was that the MFA flow was also documented as a series of API calls. So I built my own forms for collecting the information and submitting the code. That's why I was surprised to find an out-of-the-box MFA code form as part of the login flow once I enabled MFA. There wasn't any mention of this form in the docs. And as I looked, I can't find mention of any forms in the docs. I don't want the same thing to happen to me on the Registration flow, so I want to check first.
Thanks!
I noticed the epic for MFA logins in Github, and I also noted it will be part of the paid tier. Will there be any regression for support for MFA from the free tier?
Hi,
I'm looking for information regarding the registration flow. This page here indicates that there are a handful of API calls that will get the job done.
But is there some default form I can use? Just like the authorize form that comes out of the box, I don't need any fancy fields at the moment. I'm looking for a similar out-of-the-box signup form. Does that exist? Are there any docs for how to find and use it?
Thanks!
I figured out the problem of the SMS message not sending: I had not been persisting the mobile phone number on the user entity.
I'm now making a PATCH call to the user with the mobile_phone after sending the initial code and before enabling 2FA on the user.
I went and implemented the above 2FA form in my own app that prompts the user for a phone and verification code.
Enrolling in 2FA now works. Twilio integration works great. I get a code texted to me and I can use that code to enroll my user with 2FA (delivery="TextMessage") My user now has 2FA enabled.
When I hit the /authorize page (in fusionauth ui) to log in and enter my credentials, I get hit with a 2FA box, but the SMS message isn't sending. Should I expect fusionauth's ui to do that? Or should I be calling POST /api/two-factor/send myself?
I think my general sense of confusion stems from the fact that the 2FA w/ Twilio Push Tutorial is laid out as a series of API calls. Am I responsible for making all those API calls from my own webapp (and writing/hosting the forms that do so)? Or are the fusionauth forms supposed to handle that?
Thanks for the quick reply @dan !
Our use case is this:
Obviously the presence of the Application Token somewhat reduces the security of the MFA itself. The idea is that we would ask users to treat the Token as such.
We're willing to work outside the box here if you have any alternate ideas for accomplishing said functionality.
I'm realizing this might refer to a form that we build in our own web application that we can then proxy through to the FusionAuth API, is that correct?
I'm reading through the 2FA with Twilio Push docs and I've come across a step that says, "The following is an example form you may build to allow the User to configure this type of authentication."
In looking at Customizations > Form Fields, I'm not seeing any field that is used to collect a Verification Code (or Two Factor Delivery). Am I misunderstanding the 2FA docs? Is there a guide that shows how to configure a custom form for 2FA push notifications?
Can I configure the following auth scenario?
OR
In other words, I want the Application Authentication Token to be a short circuit around MFA if the user has configured any tokens.
Is this possible? Can anyone think of any workarounds that would accomplish as much?