Skip to content

Add MFA based on user roles

You can enable a more secure login flow for users that belong to specific roles associated with the application by applying the Role-Based conditional authentication template for Adaptive MFA. This template enables two-factor authentication with TOTP or passkeys for users who belong to the user role you specify.


Consider a scenario with two roles, admin and manager associated with an application. For users assigned to these roles, the login flow in the application should be stepped up with TOTP or passkeys as follows:

  1. Username and password
  2. TOTP or Passkey

Role based adaptive authentication


Configure the login flow

To enable conditional authentication:

  1. On the WSO2 Identity Server Console, click Applications.

  2. Select the relevant application and go to its Login Flow tab.

  3. Add role-based adaptive MFA as follows:

    1. Go to Predefined Flows > Conditional Login Flows.

    2. Click Adaptive MFA > Role-Based > Add to add the role-based adaptive MFA script.

      Role-based adaptive MFA with visual editor

    3. Click Confirm to replace any existing script with the selected predefined script.

  4. Verify that the login flow is now updated with the following two authentication steps:

    • Step 1: Username and Password
    • Step 2: TOTP and Passkey
  5. Update the following parameter in the script.

    Parameter Description

    Comma-separated list of user roles. Two-factor authentication should apply to users from these roles.

    For this example scenario, enter admin and manager.

  6. Click Update to confirm.

How it works

Shown below is the script of the role-based conditional authentication template.

// This script will step up authentication for any user belonging
// to one of the given roles
// If the user has any of the below roles, authentication will be stepped up
var rolesToStepUp = ['admin', 'manager'];

var onLoginRequest = function(context) {
    executeStep(1, {
        onSuccess: function(context) {
            // Extracting authenticated subject from the first step
            var user = context.currentKnownSubject;
            // Checking if the user is assigned to one of the given roles
            var hasRole = hasAnyOfTheRolesV2(context, rolesToStepUp);
            if (hasRole) {
       + ' Has one of Roles: ' + rolesToStepUp.toString());

Let's look at how this script works.

  1. When step 1 of the authentication flow is complete, the onLoginRequest function retrieves the user from the context.
  2. The user and the configured list of roles are passed to the following function: hasAnyOfTheRolesV2.
  3. This function (which is available in WSO2 Identity Server by default) verifies whether the given user belongs to any of the listed roles associated to the login application.
  4. If the user belongs to any of the configured roles, authentication step 2 (TOTP or Passkey) is prompted.


Find out more about the scripting language in the Conditional Authentication API Reference.

Try it out

Follow the steps given below.

  1. Access the application URL.
  2. Try to log in with a user who does not belong to any of the configured roles (manager or admin). You will successfully sign in to the application.
  3. Log out of the application.
  4. Log in with a user who belongs to the admin or manager role.

    The user will be prompted to select the step-up method, and the sign-in flow will be stepped up according to the user's preference.