fusionauth-issues icon indicating copy to clipboard operation
fusionauth-issues copied to clipboard
verified publisher icon FusionAuth

Add policy to enforce MFA for specific users using a lambda, group or other mechanism

Open mangeshparanjape opened this issue 2 years ago • 2 comments

It’s not possible to enforce MFA for certain group of users. Currently It can only be controlled at the Tenant and Application levels

Description

Currently It is not possible to enforce MFA at User level using API. We are looking for a functionality to enforce MFA from backend or when opted in to Turn MFA on by users themselves, Users will be prompted to setup MFA during hosted login workflow.

So the workflow would be:

  1. MFA is enforced from our application backend for certain users or turned on by Users themselves from our application - user preference screen
  2. User logs in using hosted login workflow
  3. Before redirecting back to application after successful login, if MFA is activated for User, will be redirected to the QR code page (Oauth two-factor enable page in the theme) where user can configure Google Authenticator and setup two factor.
  4. validate with code from authenticator and continue

Related

  • https://github.com/FusionAuth/fusionauth-issues/issues/763
  • https://github.com/FusionAuth/fusionauth-issues/issues/960
  • https://github.com/FusionAuth/fusionauth-issues/issues/1637
  • https://github.com/FusionAuth/fusionauth-issues/issues/2309

mangeshparanjape avatar May 25 '23 20:05 mangeshparanjape

We have a multi-customer SaaS app that exists in a single tenant. Some of our customers would like to enforce MFA for their users. We do not see a way currently to allow a specific customer in our application to enforce MFA on their users and still allow other users of our application to not enforce MFA.

ckellyits avatar Dec 03 '25 01:12 ckellyits

hiya @ckellyits, thanks for sharing your use case. We are working on functionality that might help ( https://github.com/FusionAuth/fusionauth-issues/issues/2309 ) but have not released it yet. You can follow along with that issue to see when it is released.

For the present, if you represent each customer as a FusionAuth application (with a separate client id), using application scoped MFA rules might work. (It does require an Enterprise license.)

Otherwise you can use step up authentication within your own application code, but only start that flow for certain customers.

mooreds avatar Dec 03 '25 04:12 mooreds