Hello,
I was able to implement a step-up MFA flow ...
# generald
damp-waiter-30138
05/16/2024, 4:05 AMHello,
I was able to implement a step-up MFA flow by following the suggestions of the Trigger Dynamic Multi-Factor authentication part of Ory's documentation. However, we do not wish to keep the session in an elevated AAL2 state for more than a period of time (e.g. 5 minutes), and would like to automatically step-down back to AAL1.
1. Is there a way to achieve this natively with Ory?
EDIT: It seems I'm trying to implement a GitHub-like sudo mode where the AAL2 drops down to AAL1 after a timeout, where later privileged actions will require "stepping-up" again to AAL2 via a flow (like SMS / TOTP / etc).
Thank you!
m
magnificent-energy-493
05/16/2024, 9:40 AM
What should happen when you do the step-down?
You could check authenticated_at and if it is 5 minutes ago trigger another aal2 auth with
?refresh=true&aal=aal2d
damp-waiter-30138
05/16/2024, 11:32 PMThe step-down should make the session's aal go back to aal1. -- Otherwise put, we don't want to keep the session at aal2 for the rest of the session's lifetime. -- The stepup to aal2 should be temporary (e.g. expires after 5 minutes), and/or could be manually stepped-down by the server after a sensitive action has been actioned.
damp-waiter-30138
05/16/2024, 11:33 PMiirc, I also tried to do a
?refresh=true&aal=aal1aal2aal2damp-waiter-30138
05/17/2024, 4:03 AMI just found the Privileged sessions section of the documentation, found the
privileged_session_max_age30s"authenticator_assurance_level""aal2"privileged_session_max_agesettings.flows.settings.privileged_session_max_ageflows.login.privileged_session_max_ageprivileged_session_max_ageprivileged_session_max_age3 Views