This document outlines the specific rules and scenarios handled by the authentication system, particularly focusing on the interaction between Magic Link login, OTP login, and Two-Factor Authentication (2FA).
Before reviewing the scenarios, please understand the two key settings that control the flow:
enforce_2fa (Boolean).enable_2fa (Boolean).The following table describes how the system behaves based on the combination of these two settings and the chosen login method.
| Client 2FA Enforcement | User 2FA Preference | Login Method | Expected Outcome | Logic Description |
|---|---|---|---|---|
| Enforced (ON) | Enabled (ON) | Magic Link | 2FA Challenge | Client enforcement is strict. Even though Magic Link is secure, the system demands the second factor (OTP) because the client requires it. |
| Enforced (ON) | Disabled (OFF) | Magic Link | 2FA Challenge | Client enforcement requires 2FA for all users. The user will be prompted to set up 2FA if not configured, or challenged if configured. |
| Enforced (ON) | Enabled (ON) | Password | 2FA Challenge | Standard flow. Password verified -> 2FA required. |
| Enforced (ON) | Disabled (OFF) | Password | 2FA Challenge | Standard flow. Password verified -> 2FA required (or setup). |
| Flexible (OFF) | Enabled (ON) | Magic Link | Login Success (Bypasses 2FA) | Magic Link is a secure possession factor. If client is flexible, we trust the user's choice to use it. |
| Flexible (OFF) | Disabled (OFF) | Magic Link | Login Success | Single factor (Magic Link) is sufficient. |
| Flexible (OFF) | Enabled (ON) | Password | 2FA Challenge | User entered password, but has 2FA enabled. We must challenge for 2FA to ensure security. |
| Flexible (OFF) | Disabled (OFF) | Password | Login Success | Standard password-only login. |
| Enforced (ON) | Enabled (ON) | OTP Login | Blocked | Security Restriction: If 2FA is enabled, the user must use Password + 2FA. OTP-only login is disabled to prevent bypassing the knowledge factor (password). |
| Enforced (ON) | Disabled (OFF) | OTP Login | Login Success | (Loophole/Fallback): Since the user has not set up 2FA yet, they are allowed to login via OTP (Possession). Note: Ideally, enforced clients should disable OTP-only login or force 2FA setup immediately. |
| Flexible (OFF) | Enabled (ON) | OTP Login | Blocked | Security Restriction: If 2FA is enabled, the user must use Password + 2FA. OTP-only login is disabled. |
| Flexible (OFF) | Disabled (OFF) | OTP Login | Login Success | Single-factor authentication via OTP (Possession). Allowed if 2FA is not active for the user. |
If a user enables "Disable Password Login" in their profile (only available if Magic Link is enabled):
magic_link_token) and emails a link.