use 2FA only if and when needed
I would like to be able to use 2FA (currently testing TOTP) only when required with the session upgrade process, and i don't know if it is currently possible or if it would require new features.
My environnment :
- Some applications require 2FA (not all) => i can manage this with authenticationlevel.
- Some applications require 2FA, only for some users (because they have more rights within application) => i don't really know how to do this.
- Some/Many users may never have to use 2FA, so i don't want to bother them with 2FA
From my tests, i faced the following limitations (maybe mine) :
- I didn't find a way to request 2FA only on session upgrade : if a user has a 2FA, it is requested upon authentication, even if not needed for the applications he will use that time.
- I didn't find a way to autoenroll on session upgrade : if a user does not have a 2FA, he's not proposed to create one to use it immediately, he's just stuck on upgrade => of course i would use a rule like "only from internal network" for this part
- The session upgrade asks again password with forms, although user has allready an authenticationlevel of 2 : could this be skipped to ask only 2FA for revelant new authenticationlevel needs ?
Any help or reflexions with my approach would be very appreciated