Unable to renew token when MFA is enabled

I am using the webAuth.checkSession method to silently renew the token. It all worked well but when I enabled MFA. the renew failed with the following error {error: "login_required", error_description: "Multifactor authentication required"}

Is there a way to keep the renew feature working with MFA is enabled?

My case is :

1. User enter username/password and perform MFA Guardian

2. User logged in successfully and the checkSession to renew token will succeed.

3. After user logged out they need to perform the MFA Guardian again.

There is a topic which have the same issue as I am Silent Auth Fails due to MFA switched on - Auth0 Community

@jmangelo could you please give me your advice on this. Thanks

As mentioned in the answer to the question you linked to if you allow end-users to remember their browsers then checkSession will succeed for those that opted-in to that option so technically that’s a way to have silent authentication working with MFA, however, I’m guessing your exact requirements are not satisfied by the above. If that’s the case you should update the question with some more context information about your case; for example, do you want to always bypass no matter user selection or any other things you require.

@jmangelo I have updated my case. All I want is when user has logged in successfully and performed MFA the MFA should be bypass in the renew token. But when user logged out and re-login they need to perform MFA again

@jmangelo Could you please help me on this as I don’t know how to make the silent renew token work when MFA is enabled

As mentioned in the answer when remember browser is enabled and the end-user chooses it then refreshing is possible. Are you having an issue with that or with MFA not being triggered after logout?

My issue is that I want after login successfully(performed MFA) the MFA need to be bypassed regardless the user select “allow browser remember” or not when perform Silent Authentication. But when we log-out I want the MFA to be trigger normally.

Is there a way to do this? Thanks

The part about bypassing MFA regardless of the user selection I don’t thinks is possible because you can define a bypass criteria in rules, but to my knowledge there’s no reliable way in rules to detect if the authentication is being performed based on an existing session (bypass MFA) or based on user inputting credentials (after logout; do not bypass MFA).

what about if i want to use the SMS in MFA this will not allow ‘remember their browsers’ option .
so i will never be able to renew the token without actual login.

@it4 any luck with refreshing the token silently while MFA enabled, without force login again, i am facing the same scenario

I also have similar requirements for my application and from this thread I can see that I have no way to achieve them.
I am using allowRememberBrowser = true , but I would also like for the users to be able to skip the MFA after successful MFA authentication even if they have not checked the “Remember browser” box for their current session.
Here is the flow that we have in our application: user signs up and enrolls to MFA (there is no opportunity to check the “Remember browser” box when enrolling) → user needs to verify their email address via a link in the email → the link brings them to our website → the MFA is prompted again (now with an ability to check the “Remember browser” box, but having to do it twice is still a bad UX).

I’m facing the same issue. Would be nice if Auth0 could provide a way to avoid asking 2FA again right after registration.

I was having the same problem, I’m using the @auth0/auth0-react library and what worked for me was setting the cacheLocation to localstorage

Thanks for sharing that with the rest of community!