There is a requirement where users with specific attirbute, i.e. access group, division, etc. to use OTP for login. I was thinking to use OOTB OTP where Pega sends OTP code via email to the user and user needs to authenticated using OTP after user/password authentication.
I created new Authentication Service with Post-authentication activity which calls pzHandleMFA. However, it all ways ends up showing screen with message "Verification code could not be sent to you by email or text. Please contact your administrator for assistance."
It would be appreciated if anyone done something similar can give me suggestions.
An API activity pxSendOTP and pxVerifyOTP cannot be called from unauthenticated user, as these have check for "Require authentication to run" in the "Security" tab of the activities. Seems like these activities are not assumed to be called for login purpose. I don't know whether this is done on purpose or just a bug. Considering the fact that "SendSimpleEmail" is called from pxSendOTP and, "SendSimpleEmail" does not have check for "Require authentication to run", it seems like there is no reason for pxSendOTP to require authentication to run.
I decided to save as the same rule with different name and unchecked "Require authentication to run" so these can be called before authentication is done, for authentication (login) purpose.