Would it be possible to enable MFA only for a specific subset of users?
Hey Ahmed – thanks for posting!
This is certainly possible. You could accomplish this by granting access to logged-in content to certain users who only have one authentication factor present on the Stytch session object, and require that two authentication factors be present before granting access to other users.
You’d either need to maintain a list of users (or email domains, etc.) internally who you require MFA for, or you could store that data inside the trusted_metadata object associated with each Stytch user. You could also set that data as a custom claim inside the session_custom_claims object each time a new session is created, so that you wouldn’t need to look it up each time you authenticate an existing session.
Please let me know if you have any additional questions about this, and I’ll be happy to follow up!