How to enforce 2FA for some roles and make it optional for the others

bernd · October 23, 2020, 8:48am

We want to enforce 2FA for one or more user-roles. However it must be optional for any other user.
Currently my best attempt is this:

Any attempt has run in either of these issues so far:

if several conditional flows are siblings, they are all executed and a user might be prompted twice if the role matches and he has a key configured
if conditional is placed inside alternative flows, then if fails if a user has a different role - while users without any role work.
2 conditions in 1 conditional flow means both have to match

How is it possible to have a flow be both alternative AND conditional at the same time, and provide a do-nothing fallthrough?

edit: is it possible that “Condition - User Configured” does not work with WebAuthn?

Gonzo · November 9, 2020, 12:22pm

I was trying the same the last few hours with OTP (instead of WebAuthn) and I am running into the same issues - interestingly I was trying a more or less exact same authentication flow at the end.

I also have the feeling from my tests that your last alternative flow “None” will never “succeed” but I am not aware of any “execution” step doing nothing but succeed or just breakout the flow.

It would also help me to get a documentation (besides the mouse over feature) to explain all possible “executions” in some more detail. Can anyone help here?

Topic		Replies	Views
Ask user to configure OTP on login when not configured Getting advice authentication	5	1103	November 30, 2023
Two alternative 2FA methods Getting advice	1	719	November 2, 2022
OTP registration on flow A and OTP login on flow B Getting advice authentication	0	53	April 8, 2024
Condition - user attribute validation Getting advice admin-console , authentication	2	2225	April 2, 2023
Conditional OTP for Direct Grant Getting advice authentication , oidc	0	520	February 11, 2022

How to enforce 2FA for some roles and make it optional for the others

Related Topics