logto icon indicating copy to clipboard operation
logto copied to clipboard
verified publisher icon logto-io

Enforce MFA Setup at User Level After Sign-in

Open jraoult opened this issue 4 months ago • 6 comments

What problem did you meet?

Currently, there's no way to enforce a user-specific MFA setup flow after a user has signed in. The existing MFA enforcement is tied to the application or organisation level, which doesn't allow for the flexibility needed in specific scenarios.

As a developer, I need a way to redirect a user to an MFA setup screen after they sign in if they haven't configured MFA. This is crucial for organisations where MFA is required for specific users based on their role, permissions, or a set of custom criteria, but not for all users. The current setup, which only forces MFA at the sign-in step, is not ideal from a user experience perspective and doesn't allow for a graceful, post-login setup flow.

cf. https://discord.com/channels/965845662535147551/1412388185337499670

Describe what you'd like Logto to have

I would like Logto to introduce a feature similar to "required actions" as found in other identity providers, such as Keycloak. This would allow an administrator to flag a specific user with a "required action": in this case, "set up MFA."

The requested feature could for example, include:

  • An API endpoint to programmatically flag a user for an MFA setup.
  • A mechanism within Logto to detect this flag after a user successfully signs in.
  • The ability to redirect the user to a dedicated MFA configuration page if the flag is present.

It would provide a flexible way to enforce MFA on a per-user basis, without making it a mandatory requirement for the entire organisation or a specific application. This feature would significantly improve the security while maintaining a good user experience.

jraoult avatar Sep 09 '25 08:09 jraoult

@wangsijie is this new endpoint the answer to this feature suggestions: https://openapi.logto.io/operation/operation-updateuserlogtoconfigs

jraoult avatar Nov 03 '25 09:11 jraoult

@jraoult but the user can still skip again, not sure if this solves your problem

wangsijie avatar Nov 04 '25 06:11 wangsijie

but the user can still skip again

@wangsijie Hmm yeah that is not it then. I need to make it impossible for the user to sign-in

jraoult avatar Nov 04 '25 08:11 jraoult

What about this:

Image

wangsijie avatar Nov 05 '25 02:11 wangsijie

What about this:

@wangsijie that won't be it sadly because this feature request is about being able to enforce no MFA skipping only for a subset of users, not the whole organisation, whereas this setting enforces it for everyone in the org.

jraoult avatar Nov 05 '25 10:11 jraoult

Hi @jraoult, thanks for the suggestion! We've decided to add the user-level "require MFA" feature to the Adaptive MFA project. It's now on our planned roadmap with relatively high priority. Stay tuned and feel free to vote for it.

Rany0101 avatar Nov 06 '25 08:11 Rany0101