I'm making a website that requires the user to log in with email and password to see most the site, but also requires two factor sms authentication when trying to visit a certain high security page.
I have attempted this by using firebase with google identity platform to have the user setup 2FA the first time they visit the high security page as described here. https://cloud.google.com/identity-platform/docs/web/mfa
Unfortunately, now the user can't sign in with just email and password, it gives a the error:
Firebase: Error (auth/multi-factor-auth-required).
It seems that firebase intends for me to force the user to sign in with 2FA everytime they want to sign in (which if I had finished reading the tutorial I would have realized this earlier).
So is there a way to only require 2FA when visiting a certain page of my website?
I have scoured the internet for anyone trying to do a similar thing but have found nothing.
I don't believe this is possible with Firebase Authentication nor Google Identity Platform.
It looks like Auth0 allows you to configure 2FA at the app-level (i.e. each app either is or is not 2FA enabled), or based on some higher level conditions (network, date/time, geographic location, etc.).
But I don't see a way to configure a web app such that different "pages" could be protected with 2FA separate from the rest of the app/site.