This example app demonstrates how to leverage Stytch's Device Fingerprinting (DFP) product to power Adaptive MFA, where users are only required to complete MFA if they are logging in on a new device.
The app supports organization creation and demos limited management features. After authentication, users have the ability to create new organizations. Once created, authenticated users can manage the configuration of Just-in-Time (JIT) Provisioning, to tailor the onboarding process to their specific needs. JIT provisioning allows administrators to enable automatic user onboarding for specific email domains, such as new users with email addresses matching the specified domains.
It tracks the user's known devices in an in-memory structure after successful MFA and verdict from DFP and uses that information to determine if the subsequent login attempt should be challenged with MFA.
The following use cases in the app demonstrate the integration of Stytch's B2B authentication, MFA, and Device Fingerprinting capabilities:
-
New User Login and MFA Enrollment:
- A new user logs in for the first time.
- They are prompted to enroll in MFA by providing a phone number.
- After successful MFA enrollment, their device is marked as trusted.
-
Returning User on Known Device:
- A returning user attempts to log in on a previously used device.
- The app recognizes the device and allows login without MFA.
-
Returning User on New Device:
- A returning user attempts to log in on a new, unrecognized device.
- The app prompts for MFA verification before allowing login.
- After successful MFA, the new device is marked as trusted for future logins.
-
DFP Verdict Handling:
- The app checks the DFP verdict for each login attempt.
- If the verdict is "BLOCK", the login is denied (simulated by redirecting to a success page to avoid revealing the block).
- If the verdict is "CHALLENGE", MFA is required even for known devices.
In order to run this example app you need to have signed up for a Stytch account, and request access to our DFP product (a step we require for security purposes).
Ensure you have pip, python and virtualenv installed.
git clone https://github.com/stytchauth/stytch-b2b-dfp-mfa-example.git
cd stytch-b2b-dfp-mfa-example
We suggest creating a virtualenv and activating it to avoid installing dependencies globally
virtualenv -p python3 venv
source venv/bin/activate
pip install -r requirements.txt
Copy .env.template to .env and update the values with your Stytch project ID, secret and public token from the API Keys section of the Stytch Dashboard.
This app uses the default test Redirect URL of localhost:3000/authenticate.
If you have updated your default Redirect URLs for Login and Signup, go to the Stytch Dashboard > Redirect URLs, and add http://localhost:3000/authenticate as the default "Discovery" Redirect URL.
Run
python3 main.py
Go to http://localhost:3000/
Once you've set up your Stytch project and have your API keys and signed into the app, you can use the Stytch Dashboard to add 'CHALLENGE' and 'BLOCK' authorization rules to test the behavior of the app.
- Go to Device Fingerprinting in the Stytch Dashboard
- Click on 'New Rule'
- Paste the fingerprint of the device you want to enforce a verdict of 'CHALLENGE' or 'BLOCK'
- Choose 'CHALLENGE' or 'BLOCK' from the 'Action' dropdown
- Click 'Save'
- Attempt to login with the device that has the fingerprint you just added and observe the behavior of the app.
You can repeat this process for additional devices.
In addition to the dashboard, setting rules can be accomplished programmatically using the Stytch Set Rule API. Read more in our docs on Setting Rules with DFP.
This example app showcases a small portion of what you can accomplish with Stytch. Next, explore adding additional login methods, such as OAuth or SSO.
Join the discussion, ask questions, and suggest new features in our Slack community!
Check out the Stytch Forum or email us at [email protected].