How to use MFA validation to secure your business action?

Estimated reading: 5 minutes 62 views

What is MFA validation?

A process in Visual Guard where Multi-Factor Authentication (MFA) is required to authorize specific business actions. This ensures that critical operations are executed only after verifying the user’s identity through multiple authentication methods, enhancing security for sensitive tasks within applications.

Example: Let’s take an example of a wire transfer transaction, here we have company XYZ whose employee wants to wire some money to someone, below is a small illustration of how MFA will help to validate or reject the user.

Note: Only Authenticated and authorized user can execute the MFA validation process.

Overview of the MFA validation

MFA Validation can be done through an API.

Step 1: Get MFA Available (examples: MFA via Link on email, MFA via OTP on email etc)

Step 2: Select specific MFA Available item

Step 3: Validate operation (we have 3 options here)

  • Validate operation by Id
  • Validate operation by mode
  • Validate operation

Details of each MFA validation step

Refer to the postman documentation.

Please find below the example response for getting MFA availables

{
    "mfaAvailables": [
        {
            "id": "bb815f09-50e8-4aca-8ffc-c76a9894858a",
            "requestId": "6b02489e-4984-46c4-9094-cbf6ce563718",
            "transportMode": "Email",
            "authenticationMode": "Link",
            "destination": "abc.xyz@gmail.com",
            "destinationDisplay": "m****************s@g****.com",
            "expirationTime": 120
        },
        {
            "id": "bb3c236b-f8a6-4c35-bb1c-236b504262e5",
            "requestId": "6b02489e-4984-46c4-9094-cbf6ce563718",
            "transportMode": "Email",
            "authenticationMode": "OTP",
            "destination": "abc.xyz@gmail.com",
            "destinationDisplay": "m****************s@g****.com",
            "expirationTime": 120
        }
    ],
    "requestId": "6b02489e-4984-46c4-9094-cbf6ce563718",
    "mfaEnrollmentRequest": {
        "id": "6b02489e-4984-46c4-9094-cbf6ce563718",
        "enrollmentUrl": "http://localhost:5000/mfa/enroll/6b02489e-4984-46c4-9094-cbf6ce563718",
        "transportModes": [
            "SMS"
        ]
    }
}

Select the appropriate MFA available item and copy the respective id (MFAAvailableId) and requestId from the above response  

For example: We select the MFA AvailableId


There are multiple methods available to validate business operation, you can choose your preference from the below;

  • Option 1: Validate operation by Id

You can validate operation by Id, here you will need to pass following ids.

  • MFAAvailableId
  • RequestId
  • SecureCode (in the case of authenticate via OTP)

For example: Here we select mfa Authentication via Link on email from the main response of Get MFA available.

{
   "id": "bb815f09-50e8-4aca-8ffc-c76a9894858a",
   "requestId": "6b02489e-4984-46c4-9094-cbf6ce563718",
   "transportMode": "Email",
   "authenticationMode": "Link",
   "destination": "abc.xyz@gmail.com",
   "destinationDisplay": "m****************s@g****.com",
  "expirationTime": 120
      }

Refer the postman documentation, after successful authentication of link approval, we will get the following response.

{
    "requestId": "6b02489e-4984-46c4-9094-cbf6ce563718",
    "status": "Success",
    "statusCode": 1,
    "enrollmentUrl": "http://localhost:5000/mfa/enroll/6b02489e-4984-46c4-9094-cbf6ce563718"
}
  • Option 2: Validate operation by Mode

You can validate mfa operation by providing TransportMode and Authentication mode, here you will need to pass following modes in the method request.

  • TransportMode: possible values – “SMS or Email or MicrosoftAuthenticator”
  • AuthenticationMode: possible values – “Link or OTP”
  • SecureCode (in the case of authenticate via OTP)

Refer the postman documentation.

For example: If we select MFA authentication via OTP on email from the main response of Get MFA available. And we pass the TransportMode and AuthenticationMode in the request as shown below.

        {
            "id": "bb3c236b-f8a6-4c35-bb1c-236b504262e5",
            "requestId": "6b02489e-4984-46c4-9094-cbf6ce563718",
            "transportMode": "Email",
            "authenticationMode": "OTP",
            "destination": "abc.xyz@gmail.com",
            "destinationDisplay": "m****************s@g****.com",
            "expirationTime": 120
        }

Request is shown below for the method.

{
  "transportMode": "Email",
  "authenticationMode": "OTP",
  "secureCode": null
}

On executing above request, we will get the following response.

{
    "requestId": "89d63748-0322-4c8e-87fa-e5df492fa19b",
    "status": "UserActionRequest",
    "statusCode": 3,
    "enrollmentUrl": "http://localhost:5000/mfa/enroll/89d63748-0322-4c8e-87fa-e5df492fa19b"
}

Then we execute second part of operation for authenticating an OTP.

Request is shown below.

{
  "transportMode": "Email",
  "authenticationMode": "OTP",
  "secureCode": "615055"
}

On executing above request, we will get the following response.

{
    "requestId": "48dc2fcc-b5d5-4aac-81b2-1db193f7f936",
    "status": "Success",
    "statusCode": 1,
    "enrollmentUrl": "http://localhost:5000/mfa/enroll/48dc2fcc-b5d5-4aac-81b2-1db193f7f936"
}
  • Option 3: Validate operation

You can validate mfa operation by providing certain parameters in the request as shown below.

  • RequestId
  • SelectedMFAId
  • SecureCode (in the case of authenticate via OTP)
  • MfaAction: possible values – “SendOTP or SendLink or AuthenticateOTP or CancelOTP or CancelLink

Refer the postman documentation.

For example: here we select mfa Authentication via Link on email from the main response of Get MFA available.

{
            "id": "bb815f09-50e8-4aca-8ffc-c76a9894858a",
            "requestId": "6b02489e-4984-46c4-9094-cbf6ce563718",
            "transportMode": "Email",
            "authenticationMode": "Link",
            "destination": "abc.xyz@gmail.com",
            "destinationDisplay": "m****************s@g****.com",
            "expirationTime": 120
      }

Our request will be as shown below.

  {
  "requestId": "6b02489e-4984-46c4-9094-cbf6ce563718",
  "selectedMFAId": "bb815f09-50e8-4aca-8ffc-c76a9894858a",
  "secureCode": null ,
  "mfaAction": "SendLink"
}

On executing above request, we will get the following response.

After successful authentication of link approval, we will get the following response.

{
    "requestId": "6b02489e-4984-46c4-9094-cbf6ce563718",
    "status": "Success",
    "statusCode": 1,
    "enrollmentUrl": "http://localhost:5000/mfa/enroll/6b02489e-4984-46c4-9094-cbf6ce563718"
}