MFA for select users
Is it possible to force MFA for certain users. We have a potential client that will have a large user pool for their organization, but they want their admins / high security individuals, specifically, to have to usa MFA. Everyone else doesn't have to use it.
Is this possible?
4 Replies
Hello, @ryno1234.
Yes, this is possible with Kinde using role-based MFA exemptions.
You can configure MFA at the organization level and then exempt certain roles from having to use MFA. This means you can set up MFA as required for the organization, but then create exemptions for specific user roles like regular users while keeping it mandatory for admins and high-security roles.
Here's how it works:
1. Set up organization-level MFA - This feature is available on the Kinde Scale plan and allows you to enforce MFA for the entire organization.
2. Create role exemptions - You can exempt certain roles within the organization from having to use MFA. For example, you could exempt a "member" or "user" role while keeping MFA required for "admin" roles.
To set this up:
- Go to Organizations in Kinde and select the organization.
- Navigate to Multi-factor auth in the menu.
- Toggle on Enforce multi-factor authentication for this organization.
- In the Exempt roles section, add the roles that should be exempt from MFA.
- Select Save.
You'll need to have roles properly configured in Kinde first. This approach gives you the granular control your potential client needs - mandatory MFA for high-security users while keeping the experience streamlined for regular users.
Is this something that would work for your needs?
Kinde docs
Manage user roles
Our developer tools provide everything you need to get started with Kinde.
hi @Ahn , yes this would work from a technical perspective, but if I'm understanding you correctly, there is no way to do MFA without upgrading to Scale. ($250/mo. USD)
I noticed on the MFA page under the organization it mentions something about Advanced Customizations for $10 USD per org / per month. Would that be in addition to the cost to upgrade to scale?
So in my situation, I'm talking about 7 organizations would need to have this turned on. Am I looking at $70 + 250/mo?
Another question - I noticed that it is possible to allow the user to choose if they want to use MFA. With Workflows is it possible to intercept the signon event, determine if this has been set and update that value on behalf of the user? If that was possible, I'd be able to set the value to FALSE for most users, but if the user that signed in is part of a very specific admin list, I could leave the value alone and have the Kinde UI prompt the user to set up MFA. I realize that may be a stretch in what's possible, but figured I'd ask.
Hello, again, ryno. Great observations.
You are correct that enabling multi-factor authentication (MFA) at the organization level in Kinde requires the Scale plan. The Scale plan allows you to activate advanced organization features, including org-level MFA, for up to 5 organizations. After those 5, there is an additional monthly charge for each extra organization where advanced features are enabled.
Based on your scenario (7 organizations):
- You need the Scale plan as a baseline subscription.
- The Scale plan includes advanced org features for 5 organizations.
- For the 6th and 7th organizations, you incur an additional fee per organization per month.
Regarding your second question, I will take the example you provided back to the team and investigate this and any other potential paths you can take to achieve your objective by using other alternatives. Thank you for your patience!
Sources:
- Manage organization-level auth features
Kinde docs
Manage organization-level auth features
Our developer tools provide everything you need to get started with Kinde.
Hello, ryno.
After further research and a confirmation from a team member, the conclusion would be that Multi-Factor Authentication (MFA) controls, including those that involve workflows, are available for enhanced security, but they are currently only offered at the user or organization level on our Scale plan.
Let me know if you would like me to help with something else.