Hey Everyone Is it possible to enforce MFA for specific user Ory Community #talk-kratos

Hey Everyone, Is it possible to enforce MFA for sp...

bright-accountant-54540

01/10/2023, 11:05 AM

Hey Everyone, Is it possible to enforce MFA for specific users? When adding the required_aal to User sign-in (getting an Ory Session) /

/sessions/whoami

endpoint, it enforces it on all users. I want the user to be able to specify if his account enables MFA

magnificent-energy-493

01/10/2023, 11:27 AM

Hm only option I see is using this: https://www.ory.sh/docs/kratos/mfa/requesting-2fa Do you want some users to have MFA enabled for everything, and some not at all?

bright-accountant-54540

01/10/2023, 11:41 AM

But then I can’t protect the

whoami

route since I would have to log the user in give him a session and then request the totp. If he stops there he can use the session token to get his profile right?

magnificent-energy-493

01/10/2023, 11:49 AM

Yes they can get the profile once they have a valid session. Do you want some users to have MFA enabled for everything, and some not at all?

bright-accountant-54540

01/10/2023, 11:55 AM

Yes

bright-accountant-54540

01/10/2023, 11:59 AM

So what Im thinking is on the login screen to initialize the login flow I’ll send the user’s email, Checking on my backend the user’s settings and through that add the

aal2

if necessary.

bright-accountant-54540

01/10/2023, 11:59 AM

Sounds right?

proud-plumber-24205

01/10/2023, 12:50 PM

Hmm no you can have the user set a 2nd factor and the session will enforce doing a second factor login flow. You can see an example of it here https://github.com/ory/elements/blob/main/examples/react-spa/src/Dashboard.tsx#L24-L28 There are a few steps: 1. the user logs in with oidc or password or passwordless 2. the user gets a session, but the session will report that they require a 2nd factor (so they cannot change things like profile settings etc) 3. the user is redirected back to login with

aal=aal2

bright-accountant-54540

01/10/2023, 1:16 PM

I think I got what you mean, Thanks! I’ll try that

cold-evening-80162

01/16/2023, 1:09 PM

Hi, sorry to revive this old thread but Alanos description is not quite clear for me 😕 If I enforce aal2 on login and a user does not have a second factor is the user forced to add a second factor or will the session still be issued with aal1 ? Like Matan Ben Yair I want to give the users the possibility to add a second factor but I don't want to enforce aal2 generally. Thanks in advance!

proud-plumber-24205

01/16/2023, 2:09 PM

No currently there is no way to force someone through Ory to set up a second factor. https://www.ory.sh/docs/kratos/mfa/enforce-mfa You can however make the application inaccessible when the authentication level is 1 (e.g. they don't have 2fa setup), but they will still have a valid session. You can for instance request the session information using their session cookie on the server-side (your server) and check the response data. https://www.ory.sh/docs/identities/sign-in/check-session-token-cookie-api#session-response

proud-plumber-24205

01/16/2023, 2:10 PM

In the above URL the example shows a session response payload. Take note of

Copy code

"authenticator_assurance_level": "aal1",
  "authentication_methods": [
    {
      "method": "password",
      "aal": "aal1",
      "completed_at": "2022-12-01T13:50:30.427375604Z"
    }
  ],

here you can see the user only signed in using a password or OIDC.

cold-evening-80162

01/16/2023, 3:30 PM

Okay, I got what you mean. Thanks for the clarification Alano!

28 Views

Open in Slack

Previous Next