Enabling VIP Authentication Hub in Login flow.

Currently, postRiskEval call is required after the 2FA to register the device.

Since there's a huge volume of transactions, and users will get device recognition when they come for the first time, they will have to undergo 2FA.

How to avoid this surfacing of 2FA for all the users and at the same time allow the registration of good devices while filtering out the bad ones?

There are 2 options:

1. Login to give feedback for SFA (Single Factor Authentication) and MFA (Multiple Factor Authentication);
2. Release 3% of users first to VIP Authentication Hub at that time;

Challenge is needed to mark a risky device to become a non-risky one, and vice-versa.

VIP Authentication Hub is risk first and factor later.

The best possible option is to enable the risk and run it in shadow mode (run risk engine, but not take any action based on risk score/reasons) till you are confident that Risk engine has enough data to analyse the user profile.

Once there's confidence, enable the risk engine and take actions based on that to enable/disable the risk engine.

For the device to get registered, no MFA is needed, even for single-factor authentication (SFA).

VIP Authentication Hub can send the x-device-tag and make a post-risk evaluation call.

Post-risk evaluation call SHOULD BE MADE on the LAST AUTHENTICATION CALL.
 
For every risk eval call, when the "risky" is true in response, a post-risk eval call should be done.

This should be followed whether it's single factor or MFA authentication.