Annotation Interface EnableMultiFactorAuthentication

@Retention(RUNTIME) @Target(TYPE) @Documented @Import(org.springframework.security.config.annotation.authorization.MultiFactorAuthenticationSelector.class) public @interface EnableMultiFactorAuthentication
Enables Multi-Factor Authentication (MFA) support within Spring Security. When authorities() is specified creates a DefaultAuthorizationManagerFactory as a Bean with the authorities() specified as additional required authorities. When when() is MultiFactorCondition.WEBAUTHN_REGISTERED, authorities() must include FactorGrantedAuthority.WEBAUTHN_AUTHORITY; otherwise an IllegalArgumentException is thrown during configuration processing. When when() is not specified (default is an empty array), no such requirement applies. The configuration will be picked up by both EnableWebSecurity and EnableMethodSecurity. 

@Configuration
@EnableMultiFactorAuthentication(authorities = { GrantedAuthorities.FACTOR_OTT, GrantedAuthorities.FACTOR_PASSWORD })
public class MyConfiguration {
    // ...
}

You can also publish one or more Customizer<AdditionalRequiredFactorsBuilder<Object>> beans to further customize the DefaultAuthorizationManagerFactory. For example, conditionally applying MFA for specific users: 

@Bean
Customizer<AuthorizationManagerFactories.AdditionalRequiredFactorsBuilder<Object>> additionalRequiredFactorsCustomizer() {
    return (builder) -> builder.when((auth) -> "admin".equals(auth.getName()));
}
NOTE: At this time reactive applications do not support MFA and thus are not impacted. This will likely be enhanced in the future.
Since:
7.0

  • Required Element Summary

    Required Elements
    Modifier and Type
    Required Element
    Description
    String[]
    authorities
    The additional authorities that are required.

  • Optional Element Summary

    Optional Elements
    Modifier and Type
    Optional Element
    Description
    MultiFactorCondition[]
    when
    The conditions under which multi-factor authentication is required.

  • Element Details

    • authorities

      String[] authorities
      The additional authorities that are required.
      Returns:
      the additional authorities that are required (e.g. { FactorGrantedAuthority.FACTOR_OTT, FactorGrantedAuthority.FACTOR_PASSWORD }). Can be null or an empty array if no additional authorities are required (if authorization rules are not globally requiring MFA).
      See Also:
      • FactorGrantedAuthority

    • when

      MultiFactorCondition[] when
      The conditions under which multi-factor authentication is required.

      When multiple conditions are specified, they are applied as an AND (all conditions must be met).

      Returns:
      the conditions (default is an empty array, which requires MFA unconditionally)
      Since:
      7.1
      Default:
      {}