I am looking to implement my own custom 2FA (TOTP-based, e.g. usable by Google Authenticator and similar apps) for Firebase Authentication (using email/password authentication). Verifying the code is simple. Implement TOTP or use a library in a cloud function and test that against a code sent from the client. However, remembering that a session is valid (has been 2FA-authed) is a different story. I could try custom claims, but those apply to all new sessions, not just the current one.
What I would like to do is somehow issue a new ID token from a cloud function with a custom claim (e.g. trusted: true) that only exists on that token and no future ones.
