Skip to content

Add MFA based on user store

You can enable a more secure login flow for users that belong to specific user stores by applying the User Store-Based conditional authentication template for Adaptive MFA. This template enables two-factor authentication with TOTP for users who belong to the user store you specify.


Consider a scenario with two user stores, EMPLOYEES and CONTRACTORS. For users assigned to these user stores, the login flow in applications should be stepped up with TOTP as follows:

  1. Username and password
  2. TOTP

User store-based adaptive authentication


Configure the login flow

To enable conditional authentication:

  1. On the WSO2 Identity Server Console, click Applications.

  2. Select the relevant application and go to its Login Flow tab.

  3. Add user store based adaptive MFA as follows:

    1. Go to Predefined Flows > Conditional Login Flows.

    2. Click Adaptive MFA > User Store-Based > ADD to add the user store based adaptive MFA script.

      User store-based adaptive MFA with visual editor

    3. Click Confirm on the prompt to replace any existing script with the current script.

  4. Verify that the login flow is now updated with the following two authentication steps:

    • Step 1: Username and Password
    • Step 2: TOTP
  5. Update the following parameter in the script.

    Parameter Description

    Comma-separated list of user stores. Two-factor authentication should apply to users from the
    specified user stores. For this example scenario, enter EMPLOYEES and CONTRACTORS.

  6. Click Update to confirm.

How it works

Shown below is the script of the user store-based conditional authentication template.

// This script will prompt 2FA to the app only for a selected set of user stores.
// If the user is in one of the following user stores, user will be prompted 2FA
var userStoresToStepUp = ['EMPLOYEES', 'CONTRACTORS'];

var onLoginRequest = function(context) {
    executeStep(1, {
        onSuccess: function (context) {
            // Extracting user store domain of authenticated subject from the first step
            var userStoreDomain = context.currentKnownSubject.userStoreDomain;
            // Checking if the user is from whitelisted tenant domain
            if (userStoresToStepUp.indexOf(userStoreDomain) >= 0) {

Let's look at how this script works.

  1. When step 1 of the authentication flow is complete, the onLoginRequest function retrieves the user from the context.
  2. The userStoreDomain is extracted from the authentication information provided in step one.
  3. Check if the extracted userStoreDomain is in the values specified for the variable userStoresToStepUp.
  4. If the user belongs to any of the configured user stores, authentication step 2 (TOTP) is prompted.


Find out more about the scripting language in the Conditional Authentication API Reference.

Try it out

Follow the steps given below.

  1. Access the application URL.
  2. Try to log in with a user who does not belong to any of the configured user stores (EMPLOYEES or CONTRACTORS). You will successfully sign in to the application.
  3. Log out of the application.
  4. Log in with a user who belongs to the EMPLOYEES or CONTRACTORS user store. TOTP authentication is prompted.