Login with User Preferred MFA for Applications using Asgardeo
Hi all, Today I am going to discuss with you how you can give an option for your organization users to select a Multi Factor Authentication(MFA) step based on their preference. For this implementation we are using the existing MFA options in Asgardeo with Adaptive authentication.
Do you aware what Asgardeo is 🧐? Asgardeo is the new IDaaS solution provided by WSO2. Click here to check out more on Asgardeo and for Free Sign up.
Back to the Story 😀.
For this process we will need the following resources.
- An organization in Asgardeo (This will be created when you Sign Up for Asgardeo)
- An application in the organization (For demonstration purposes I will use a sample application)
- An attribute to store the preferred MFA step.
- Several user accounts (For demontration purposes I will use three user accounts)
Now let’s do the configuration.
Log in to the Console application of the created organization and create an attribute to store the MFA step. To create this attribute you can go to the Manage tab -> From the left pane, select Attributes. Then goto the Attributes section and at the top right side coner you can see New Attribute button. Click on it and add the Attribute Name and the Display Name. For the demonstration I created the following attribute.
Attribute Name : preferredmfa
Attribute Display Name : Preferred MFA(EmailOTP/TOTP)
Now create an application by referring Register an OpenID Connect web app document. For the demonstration I will use the provided sample oidc application. You can also deploy the sample application by going through the Quick Start section of the application.
Go to the Sign-In Method section of the application and select the Default Login. Now add another two steps to the authentication process.
Second Step : TOTP
Third Step : Email OTP
At the bottom, enable Conditional Authentication and add the following Conditional Authentication Script and click on Update.
Now let’s create the user accounts. For this I created three user accounts as follows.
Email : alex@wso2.com
Email : james@wso2.com
Email : mike@wso2.com
Now login to the Myaccount application of the origanization (https://myaccount.asgardeo.io/t/<YOUR-ORG-NAME>) with the created user accounts and add the MFA type from the Personal Info section. I add the MFA as the following. Myaccount is the portal that the users can change their profile.
Email : alex@wso2.com -> MFA : TOTP
Email : james@wso2.com -> MFA : EmailOTP
Email : mike@wso2.com -> MFA : empty
Ok, hard part is done guys.
Let’s login to the application using the created user accounts. Since I used the sample application I will login to the application using http://localhost:8080/oidc-sample-app/index.html
Click on Login and you will be redirected to the Asgardeo login page. Here I will add the credentials of the user Alex (alex@wso2.com).
Since Alex wants TOTP as the MFA Type, Alex will be redirected to the following page to scan the QR code (This will only display if the QR code is not scanned perviously).
Scan the QR code from an authenticator app and click on Continue. Then you will be redirected to the following page to enter the TOTP generated from the QR.
Enter the code and click on Continue. If this is the first login, a consent page will be displayed. After continue that page you will be able to login to the application.
Now logout from the application and try to login with James (james@wso2.com). After adding the correct credentials James will be landed to the following page and an Email with the OTP will be received to the registered email address of James.
Add the OTP and click on Continue. If the OTP is correct you will be redirected to the application’s home page.
Now try the login flow with the user which did not add a MFA step in the profile. You will see that user can login to the application without any second step authentication.
That’s all guys. See you in another one. Stay safe. :-)
References