Extending Your MFA Workflows with IBM Cloud App ID

2 min read

With App ID, you can easily add authentication, authorization, and user profile services to web apps, mobile apps, and APIs with minimal-to-zero code changes and without redeploying your app.

By using App ID, you no longer have to worry about setting up infrastructure for identity, ensuring geo-availability, or trying to understand complex compliance regulations when it comes to managing user identity. 

You can also utilize multi-factor authentication (MFA) to verify an application user's identity with a one-time code sent through email or SMS. Multiple factors of authentication increase an application's security. The first factor is the user's Cloud Directory username and password. The second factor is a one-time code that App ID sends via email or SMS.

Making custom authentication decisions

Previously in App ID, every attempt to sign in required you to complete the MFA flow (if MFA was enabled). This allowed for no control over who or how often users needed to complete the second authentication factor. 

Now, you can make custom decisions at runtime that determine which users can skip the MFA flow by configuring a pre-MFA extension and registering it with App ID. After a successful first-factor authentication, App ID sends a request that contains user data to your extension. You can use the data to decide whether or not to have your app proceed with MFA.

Figure 1. Cloud Directory pre-MFA flow.

Figure 1. Cloud Directory pre-MFA flow.

So, with that diagram in mind, let's look into a simple use case. Maybe you have a whitelist of approved users.

  1. When a user successfully authenticates by using their credentials, App ID sends the information to your endpoint. 
  2. You can parse that information and validate whether the IP address that is returned matches an IP address on your whitelist. 
  3. Your extension sends an answer back to App ID of either true or false.
  4. App ID reads that information and if the result is true, the user is redirected directly to your application. If the result is false, then the user is redirected to finish the MFA flow.

What kind of information can I make decisions with?

The payload that is sent by App ID to your extension is in the format: {"jws": "jws-format-string"}. After you decode and verify the payload, the content is a JSON object with the following schema:

Table 1. The information that App ID forwards to your pre-MFA extension point.

Table 1. The information that App ID forwards to your pre-MFA extension point.

Advanced use case

Now that you've seen a simple use case and all of the information available to you, let's look at a more advanced use case. 

Your criteria for skipping MFA might be that the user:

  • is in your whitelist,
  • is accessing your application from a desktop, and
  • has already successfully completed MFA once that day.

You might enforce that criteria by validating that the:

  • username or user_id is in your whitelist,
  • device_type is set to web, and
  • last_successful_first_factor is within the same day.

If all of the conditions are met, you would send {'skipMfa': true} in the response to App ID and the user would be able to bypass the second authentication checkpoint.

For more information on configuring and enabling your extension, see the docs. Additionally, you can configure a post-MFA extension to collect more information about authentication events. See the documentation to learn more about post-MFA extensions.

Questions and feedback

  • If you have technical questions about App ID, post your question on Stack Overflow and tag your question with ibm-appid.
  • For questions about the service and getting started instructions, use the IBM Developer Answers forum. Be sure to include the appid tag.
  • Check out the App ID tutorials on our Youtube channel.
  • Open a support ticket in the IBM Cloud menu.
  • Reach out directly to the development team on Slack!

New to IBM Cloud App ID? Welcome! To get started with App ID, check it out in the IBM Cloud Catalog.

Be the first to hear about news, product updates, and innovation from IBM Cloud