• Home
  • Categories
  • Recent
  • Popular
  • Pricing
  • Contact us
  • Docs
  • Login
FusionAuth
  • Home
  • Categories
  • Recent
  • Popular
  • Pricing
  • Contact us
  • Docs
  • Login

Alternate Auth Strategies

Scheduled Pinned Locked Moved
General Discussion
0
4
516
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D
    daniel.barrett
    last edited by 15 Dec 2020, 13:15

    Can I configure the following auth scenario?

    • user can authenticate through username/password AND MFA

    OR

    • user can authenticate through an application authentication token

    In other words, I want the Application Authentication Token to be a short circuit around MFA if the user has configured any tokens.

    Is this possible? Can anyone think of any workarounds that would accomplish as much?

    1 Reply Last reply Reply Quote 0
    • D
      dan
      last edited by dan 15 Dec 2020, 16:35

      Is this possible? Can anyone think of any workarounds that would accomplish as much?

      I don't believe this is possible within the FusionAuth hosted login pages. A user has 2fa enabled or they don't, and the auth tokens follow the same login flow.

      If you wanted to have your application handle passwords (not typically a good idea, but possible), I suppose you could see if a password looked like an auth token (or maybe have a different endpoint) and then turn off, via an API call, the 2fa requirement for a given user. Seems error prone, but possible. Make sure you secure your application well 🙂 if this is a path you choose.

      It seems like you are looking for a way around 2fa, like some of the one time codes that Google provides. If so, here's a discussion on that very topic:
      https://fusionauth.io/community/forum/topic/330/is-it-possible-to-disable-two-factor-without-providing-the-two-factor-code

      That led to a github issue: https://github.com/FusionAuth/fusionauth-issues/issues/871

      Which we're planning to deliver with our MFA overhaul, which is currently planned for the 1.24.0 milestone: https://github.com/FusionAuth/fusionauth-issues/milestone/71 (and will be a feature for our paid editions, in the spirit of transparency).

      --
      FusionAuth - Auth for devs, built by devs.
      https://fusionauth.io

      1 Reply Last reply Reply Quote 0
      • D
        daniel.barrett
        last edited by 15 Dec 2020, 17:10

        Thanks for the quick reply @dan !

        Our use case is this:

        • We have users that will be able to log in using their username/password (with MFA optionally turned on).
        • Separately, we want to be able to grant programmatic access to these users as well. Programmatic access obviously precludes any ability to do MFA so we were looking for a way around it. We thought the Application Token might be ideal.

        Obviously the presence of the Application Token somewhat reduces the security of the MFA itself. The idea is that we would ask users to treat the Token as such.

        We're willing to work outside the box here if you have any alternate ideas for accomplishing said functionality.

        1 Reply Last reply Reply Quote 0
        • D
          dan
          last edited by 18 Dec 2020, 17:39

          You could maintain two user accounts, dan with MFA turned on and dan-api-access with MFA turned off and application tokens. You could then use webhooks to keep their permissions in sync.

          --
          FusionAuth - Auth for devs, built by devs.
          https://fusionauth.io

          1 Reply Last reply Reply Quote 0
          4 out of 4
          • First post
            4/4
            Last post