Allow a Tenant to force all Auth0 Dashboard users to have MFA active.
I would like to enforce that MFA is active for all users of the Auth0 Dashboard that can see and modify how our Auth0 Tenant is configured. Any users that do not have MFA active should be unable to access the dashboard until their MFA is setup.
It is undesirable to need to regularly check the Auth0 Dashboard manually to ensure all dashboard users currently have MFA enabled and to chase any users without MFA to enable it.
This request was originally raised a support ticket, but I was informed it was currently a product feature request with no ETA and that raising it here was the preferred way to upvote this product request priority. See also Enforce MFA for Dashboard Admins
Auth0 is a primary authentication mechanism for a service provided to our customers that expect PCI and SOC2 compliance so we want to ensure that the ability to modify how auth is performed is subject to strong security checks.
I’m somewhat surprised this isn’t already an option for a security/identity focussed platform such as Auth0, especially given we’re able to enforce MFA for customers.
Another option is setting up SSO for business users and enforcing strong authentication requirements in your internal IdP, but as invites can be accepted by recipients using any of the available login methods that doesn’t guarantee that tenant members will always be covered by those requirements. The only way I can see to guard against this is regularly auditing the lists of tenant members and their IdP - which is time consuming and will end up getting overlooked.
The thread linked above included a statement suggesting this was in the works in 2017, are there any updates available?
I also find it very bizarre that you can force it for API/Application users but not for admin/dashboard users. Maybe because dashboard users should be very small and you can manually manage it easier. IDK, it’s really something I don’t want to have to think about, and it can be very devastating if one person has a bad security moment.
Where do we stand on this? Is there a way to enforce it for tenant admins? I see there is a MFA section in “Security” => “Multi-Factor Auth” but I believe this is for end-customers of our applications and not only admins.