Add MFA based on user sign-in option¶
You can enable a more secure sign-in flow (based on the user's sign-in method) by applying the Sign-In-Option-Based conditional authentication template to your application.
Scenario¶
Consider a scenario where your application has multiple authentication methods configured as the first authentication step. You need to secure the sign-in flow for users signing in through a selected method of authentication (ex: basic authentication). If the user sign-in with the specified authentication method, the second authentication step is prompted. Users signing in from an authentication method which is not specified in the script can simply sign in using only the first step.
Prerequisites¶
You need to register an application with Asgardeo. You can register your own application or use one of the sample applications provided.
Configure the sign-in flow¶
Follow the steps given below.
- On the Asgardeo Console, click Applications.
- Select the relevant application and go to its Login Flow tab.
-
Add sign-in option based adaptive MFA using your preferred editor:
To add sign-in-option-based adaptive MFA using the classic editor:
-
Click Start with default configuration to define the login flow starting with the
username and password
login. -
Add other authenticators alongside username and password for step one in the sign-in flow.
Example
For example:
username and password
+Google
+Facebook
-
Turn on Conditional Authentication by switching the toggle and select the Adaptive MFA > Sign-In-Option-Based template.
To add sign-in-option-based adaptive MFA using the visual editor:
-
Switch to the Visual Editor tab, and expand Predefined Flows > Conditional Login Flows > Adaptive MFA.
-
Click + ADD next to Sign-In-Option-Based to add the IP-based adaptive MFA script.
-
Click Confirm to replace any existing script with the selected predefined script.
Important
As a security measure, Asgardeo does not allow the usage of two consecutive periods (
..
) in authentication scripts. -
-
Update the following parameter in the script.
Parameter Description signInOptionToStepUp
Parameter to define the sign-in option to which the second authentication step should apply. It can be configured as follows: - For basic authentication using username and password use
LOCAL
as the parameter value. - For federated IdPs use the name of the IdP as the parameter value (Ex:
Facebook
,Google
,Github
).
- For basic authentication using username and password use
-
Click Update to save the changes.
How it works¶
Shown below is the script of the sign-in-option-based conditional authentication template.
// This script will step up authentication and prompt TOTP in case when
// user sign-in with configured sign-in option.
// Set the required sign-in option that requires step up authentication.
var signInOptionToStepUp = 'LOCAL';
var onLoginRequest = function(context) {
executeStep(1, {
onSuccess: function (context) {
var step = context.steps[1];
if (step.idp == signInOptionToStepUp) {
executeStep(2);
}
}
});
};
Let's look at how this script works.
- When step 1 of the authentication flow is complete, the onLoginRequest function retrieves the first authentication method from the context.
- The function verifies whether the given authentication method belongs to the method mentioned in
signInOptionToStepUp
. - If the first authentication method is the authentication method in
signInOptionToStepUp
, authentication step 2 (TOTP) is prompted.
Try it out¶
Follow the steps given below.
- Access the application URL.
- Try to sign in to the application with an authenticator that is not specified in the script. You will successfully sign in to the application.
- Log out of the application.
-
Sign in with the authenticator specified in the script. TOTP authentication is prompted.