MFA Methods
(Documentation incomplete)
To use this module, access tokens with an audience of 0000000c-0000-0000-c000-000000000000 are required. It only seems possible to obtain this using the v2 Oauth2 token endpoint, so make sure to obtain the token through the new v2 API as shown below.
To add/remove FIDO security keys,you also need a fresh access token with the ngcmfa value in the amr claim. For all other MFA methods (Authenticator App, TOTP, mobile phone, email, ...), this claim is NOT required.
This claim can be specifically requested during the creation of the device code, and will force the victim user to use MFA during the device code authentication with that code.
An optional checkbox on the device code page can be used to enable this.
Even if the token is valid for longer, this claim only seems to be accepted within the first 15 minutes after the token was issued, so ensure to add your FIDO key within this timeframe!
The authentication methods available to the user can first be listed using the reload button. Afterward, registered authentication methods can be removed using the delete icon, or added/replaced using the add/replace icons respectively.
GraphSpy can act as an Authenticator App to generate TOTP codes. This is visible near the bottom half of the page. Once added to an account, just click on the copy icon to automatically copy the currently generated code to your clipboard, and use it when authenticating with the account.
