Add user-preferred MFA login

Asgardeo users have the option to select their preferred MFA option. Once chosen, Asgardo remembers the choice and prompts the chosen MFA option as a second factor when users log into applications.

Currently, you can only configure user-preferred MFA login by using the SCIM2/Me API of Asgardeo.

Prerequisites

To get started, you need to register an application with Asgardeo . You can register your own application or use one of the sample applications provided.

Configure application login for user-preferred MFA

Follow the steps given below to configure the application login to prompt the user with the preferred MFA option.

1. On the Asgardeo console, click Applications.

2. Select your application and go to the Login Flow tab.

3. Click Start with default configuration to define the login flow starting with username and password.

4. Add a second authentication step with the following authenticators.

   • TOTP
   • Email OTP
   • SMS OTP
   

5. Turn on Conditional Authentication by switching the toggle.

   

   You can now define your conditional authentication script.

   Important

   As a security measure, Asgardeo does not allow the usage of two consecutive periods (..) in authentication scripts.

6. Add the following adaptive authentication script.

   var onLoginRequest = function(context) {
       executeStep(1, {
           onSuccess: function (context) {
               var preferredClaimURI = 'http://wso2.org/claims/identity/preferredMFAOption';
               var user = context.steps[1].subject;
               var preferredClaim = user.localClaims[preferredClaimURI];
               
               var jsonObj = JSON.parse(preferredClaim);
               var authenticationOption = jsonObj.authenticationOption;
               Log.info("preferredClaim authenticationOption " + authenticationOption);
   
               if(preferredClaim != null) {   
                   executeStep(2, {authenticationOptions: [{authenticator: authenticationOption}]}, {});
               } else {
                   executeStep(2);
               }
           }
       });  
   };
   

7. Click Update to save the configurations.

Set preferred MFA options for users

To set preferred MFA options for users:

1. Collect information from your application users on their preferred MFA option.

   Available authenticators

   The following authentication options are available for users:

   Connection Name	Authenticator
   TOTP	totp
   Email OTP	email-otp-authenticator
   SMS OTP	SMSOTP

2. Set the preferred MFA option for each user using a SCIM2/Me patch API (opens new window) call.

   Update the preferredMFAOption.authenticationOption value for each user according to their choice in step 1.

   Sample API call to add the user's preferred MFA option

   curl -v -k --header 
   'Authorization: Bearer <access_token>' 
   --data '
       {"Operations":[
           {
               "op":"replace","value":
                   {"name":
                       {"givenName":"liya"}
                   }
           },
           {
               "op":"replace",
               "value":
               {
                   "name":
                   {"familyName":"shaggy"}
               }
           },
           {
               "op":
                   "replace",
                   "value":{"phoneNumbers":[]}
           },
           {
               "op":
               "replace",
               "value":
                   {"urn:scim:wso2:schema":
                       {
                           "country":"Andorra",
                           "dateOfBirth":"",
                           "preferredMFAOption":"
                               {\"authenticationOption\":\"email-otp-authenticator\"}"
                       }
                   }
           }
       ],
       "schemas":[
           "urn:ietf:params:scim:api:messages:2.0:PatchOp"
       ]
   }' 
   --header "Content-Type:application/json" https://api.asgardeo.io/t/<org_name>/scim2/Me