Enroll TOTP factor with sessionToken

Is there a way to enrol the TOTP factor for a specific user later, by the user himself?
We have a mobile app in which we would like to allow users to create TOTPs and use those during login to the web app.

For this, we would like to have a button in our mobile app that says “activate TOTP factor”.
After that, an “enrol TOTP factor” process should begin.
The part I am not sure about is if the enrolment request has to contain the stateToken , or could we maybe put sessionToken instead?
This is the current body of the “enrol TOTP factor” request:

{
  "stateToken": "007ucIX7PATyn94hsHfOLVaXAmOBkKHWnOOLG43bsb",
  "factorType": "token:software:totp",
  "provider": "OKTA"
}

We won’t have the stateToken available if we do the primary auth (with username and password), because this auth returns only a sessionToken.

So the question is:
Can we start TOTP enrolment as a logged in user (with user’s sessionToken, without the stateToken)?

If this is not possible, could we use the api for factor enrolment (no state/session tokens, but with an API key)?

If your primary auth call returns a sessionToken, then it sounds like your sign-on policy doesn’t prompt for MFA.

Can you try the steps listed under “Prompt an end user to enroll in a required factor” and then see if you get a stateToken from the primary auth call?

Hello @warren thank You for Your response!

I know I can do that, but my question is:
Can I make people to manually activate/enrol the TOTP factor?

So, initially, all users log in with just username and password.
User can go to a screen in the mobile app and click “activate OTP factor”, which would then set up his account to have TOTP factor required on every login, but only for him (not for other users).

Is this possible (in any way)?

My initial idea was that in the request for TOTP enrolment, I might be able to replace the stateToken param with a sessionToken, but I am open to any other ideas as well.

You can use the Factors API to enroll and activate the factor.

1 Like

Hello again. Thank You for answering.
I knew that, so I guess the other option (replacing stateToken with a sessionToken) will not be available.

@warren can You by any chance help me with this?