This is more a question about the architecture. I have a login which makes use of a JWT token to keep the user logged in for a while. This is done using NodeJS. I have added a way to verify yourself using an authenticator app once the user has logged in normally.
Do I now update the JWT token with the information that it has passed the MFA process? Or do I generate a new JWT token? Or do I not generate the token until MFA has been verified? What is the best way to keep track of how the user has authenticated?
If you have any answers, or sources with information on this, it would really help. Let me know if you need more clarification. Thanks in advance.