de-activate mfa on user level (w/o removing mfa devices or implementing new flow)

[mxlb-dev]

Hi,

what is the most elegant way to de-activate mfa for specific users? Afaik there are two options:
a) authentication-flow without mfa step
b) delete mfa devices on user-level

Are there other ways to implement this? Preferably I would like to pause/disable mfa for a subset of users.

Thanks!

[bahmanjafari]

I would like to clarify that we are using a dedicated service account for LDAP synchronization. For this specific account, we would like to disable MFA, while keeping MFA enabled for all other users

[scraejtp]

You can bind a policy to the MFA stage to skip it in your authentication flow. I use a policy where if I am on my local network it skips the MFA stage.

[ZeroVEVO]

Hy there! Can you give me more detail on how you implemented the policy for local network?

[ZeroVEVO]

I figured out how to edit the stage binding within the flow. it was a little bit differend than described here:
https://docs.goauthentik.io/customize/policies/working_with_policies/

Unfortunately, every policy I assign (i tried event policy, client ip (local ip) and user and even negated the policys) won´t work. Authentik just ignores the policy and executes the mfa stage either way. Some ideas?

[scraejtp]

My policy is to allow a user group that is logging in within the home network to bypass the MFA.

On the "default-authentication-mfa-validation" stage I have a custom policy bound called "LocalNetworkCheck". The stage binding is set to Evaluate when the stage is run.

The policy binding has the Negate Result set to true and the failure result is Don't Pass. My policy is setup where my static ip is in place of the xx.xx.xx.xxx :

IsHomeUser = ak_is_group_member(request.user, name="Home Users")
IsLocalIP = ak_client_ip in ip_network('xx.xx.xx.xxx/32')
return IsHomeUser and IsLocalIP

[NTaylor71]

I tried several different ways to achieve this task : Allowing one specific user to bypass 2FA and only one way worked for me (Authentik V2025.10) :

Find the Policy 'user-does-not-have-totp' and edit it

You should see its expression is :

return not ak_user_has_authenticator(request.user, device_type=None)

Swap that out for

pending_user = context.get('pending_user')
# Skip TOTP setup for USER_X
if pending_user and pending_user.username == "USER_X":
    return False
# Original logic - show setup only if user has no authenticator
return not ak_user_has_authenticator(request.user, device_type=None)

OR for multiple users and a (possibly) more reliable match using email addresses :

# Skip TOTP setup for specific users
if pending_user and pending_user.email in ["[email protected]", "[email protected]"]:
    return False
# Original logic
return not ak_user_has_authenticator(request.user, device_type=None)