Enrolling authenticators

This guide will demonstrate how to use Authsignal to enroll users for MFA. There are two ways this can be done:

1. Prompting users to select and enroll an authenticator themselves
2. Enrolling users with a specific authenticator type automatically (if you already have their verified email or phone number)

Enabling authenticators

In the Authsignal Portal you can choose which authenticators should be enabled for your application in Settings -> Authenticators.

For some authenticator types such as SMS you will need to configure the underling provider (e.g. Twilio or MessageBird).

Once an authenticator type is enabled, it will be available for users to select when they are enrolling via the Challenge UI.

Self-service enrollment

One way users can enroll an authenticator themselves is by using the Challenge UI.

Retrieving a user's enrollment status

The getUser method lets you determine if a user of your app is currently enrolled (i.e. they have added at least one authenticator).

cURL

curl https://signal.authsignal.com/v1/users/usr_123 \
  -u YOUR_SECRET_KEY:

Node.js

const result = await authsignal.getUser({ userId: "usr_123" });

const isEnrolled = result.isEnrolled;

Ruby

result = Authsignal.get_user(user_id: "usr_123")

is_enrolled = result[:is_enrolled]

Python

result = authsignal_client.get_user(user_id="usr_123")

is_enrolled = result["isEnrolled"]

PHP

$result = Authsignal::getUser(userId: "usr_123");

$isEnrolled = $result["isEnrolled"];

Displaying the self-service enrollment and management screens

If the user isn't enrolled for MFA yet, you might want to show a button which presents them with the option to enroll via the Challenge UI. In this case, the onClick handler would make a call to your backend, which would then use the track method to initiate enrollment and return a URL to the app which can be used to enroll the user.

We also set the redirectToSettings param to true to let the user remain on the Challenge UI when enrolling and add a second authenticator if they wish.

cURL

  curl https://signal.authsignal.com/v1/users/usr_123/actions/enroll \
    -u YOUR_SECRET_KEY: \
    -H "Content-Type: application/json" \
    -d '{"redirectUrl": "https://example.app", "redirectToSettings": true}'

Node.js

const { url } = await authsignal.track({
  action: "enroll",
  userId: "usr_123",
  redirectUrl: "https://example.app",
  redirectToSettings: true
});

Ruby

result = Authsignal.track_action({
        action_code: "enroll",
        user_id: "usr_123",
        redirect_url: "https://example.app",
        redirect_to_settings: true
    }
)

Python

result = authsignal_client.track_action(
    action_code="enroll",
    user_id="usr_123",
    payload={
        "redirectUrl": "https://www.example.app",
        "redirectToSettings": true
    }
)

PHP

$payload = array("redirectUrl" => $redirectUrl, "redirectToSettings" => true));

$result = Authsignal::trackAction(actionCode: "enroll",
                                  userId: "usr_123",
                                  payload: $payload);

note

You can pass "enroll" for the name of the action tracked here or a different value if you like. This value just determines what the action will be called when viewing it in the Authsignal Portal.

The redirectUrl you provide here is where users will be redirected back to in your application once they leave the Challenge UI.

For security reasons, enrolled users will always be prompted to complete an MFA challenge before they're able to manage existing MFA settings.

If the redirectToSettings param here is true, the user will remain on the Challenge UI after completing this challenge (where they can manage their MFA settings) instead of being redirected immediately back to your application.

From here the user can enroll additional authenticator types and change their default authenticator.

Enrolling authenticators on the user's behalf

If you have already received and verified a user's email or phone number (for example during sign up) then you might wish to automatically enroll them for MFA, rather than prompting them to enroll themselves again.

You can do this by using the enrollVerifiedAuthenticator method:

cURL

curl https://signal.authsignal.com/v1/users/usr_123/authenticators \
  -u YOUR_SECRET_KEY: \
  -H "Content-Type: application/json" \
  -d '{"oobChannel": "SMS", "phoneNumber": "+64271234567"}'

Node.js

authsignal.enrollVerifiedAuthenticator({
  userId: "usr_123",
  oobChannel: "SMS",
  phoneNumber: "+64271234567",
});

Ruby

Authsignal.enrol_authenticator(user_id: "1234",
                              authenticator:{ oob_channel: "SMS",
                                              phone_number: "+64270000000" })

Python

authsignal_client.enrol_authenticator(
    user_id="1234",
    authenticator_payload={"oobChannel": "SMS", "phoneNumber": "+64270000000"},
)

PHP

Authsignal::enrolAuthenticator(userId: "1234",
                               authenticator: array("oobChannel" => "SMS",
                                                  "phoneNumber" => "+64270000000"));

caution

This option should only be used if you have already verified the user's email or phone number or (by sending them an email or SMS). Once this method is called, the user will be able to use this authenticator type for any future MFA challenges.