question: MFA disable?

[tribor]

I added MFA config via the 'User Dashboard'. After I logged out and tried to re-login I was asked for MFA.

So I have to use MFA right after i configured it? I thought I have to add require mfa to the transform user section first?

I want to use MFA not for all domains but only some of them. So how can I configure this?
Is MFA set per user or can I also set it per domain?

{
        order authenticate before respond
        order authorize before basicauth

        security {
                local identity store localdb {
                        realm local
                        path /opt/startup/caddy/auth/users.json
                        user itsme {
                                name me
                                email me@here
                                password "bcrypt:10:$2a$14$q/.GQ[REDACTED]"
                                roles authp/admin authp/user
                        }
                }

                authentication portal myportal {
                        crypto default token lifetime 3600
                        crypto key sign-verify {env.JWT_SHARED_KEY}
                        enable identity store localdb
                        cookie domain [REDACTED]

                        ui {
                                static_asset "assets/images/logo.svg" "image/svg+xml" auth/lock.svg
                                links {
                                        "My Identity" "/whoami" icon "las la-user"
                                }
                        }
                        transform user {
                                match origin local
                                action add role authp/user
                                ui link "User Dashboard" /auth/profile/ icon "las la-cog"
                        }
                }

                authorization policy admins_policy {
                        set auth url https://[REDACTED]/
                        allow roles authp/admin authp/user
                        crypto key verify {env.JWT_SHARED_KEY}
                        acl rule {
                                comment allow users
                                match role authp/user
                                allow stop log info
                        }
                        acl rule {
                                comment default deny
                                match any
                                deny log warn
                        }
                }
        }
}

[tribor]

any ideas?

[greenpau]

So I have to use MFA right after i configured it? I thought I have to add require mfa to the transform user section first?

@tribor , yes. As soon as you add MFA (app or token) to your profile, you will start getting prompted for the second factor. You can have multiple tokens configured. You can supply any of them and as long as they are valid, you would get it.
For example, I have app token, passcode on my PC, passcode on my phone, and hardware token. I added all 4 of them. I recommend adding app token first.

[greenpau]

I want to use MFA not for all domains but only some of them. So how can I configure this? Is MFA set per user or can I also set it per domain?

@tribor , that granularity does not exist. That would be new feature.