Allow users to opt-in to MFA

There should be an option for users to enroll in MFA - it should not only be ‘Always’ or ‘Never’ like it is now.

Most times when MFA is an available on the Internet, it’s optional, not forced upon the user. Why is this not the case in Auth0? The closest thing to this normal behavior is the ‘Adaptive MFA’, but that’s not optional either.

At the minimum there should be a way to accomplish this using Actions.

Hi @bryans,

You can do this, but currently you need to build your own app to handle it. Use an Action to redirect users to a microsite that gives them the option to enroll or continue w/o enrolling. Or build it into a user preferences / security portal. This is worth building anyway, to give users the ability to manage their Auth0 profiles and security.

Mark

2 Likes

Can you be more specific? What do I redirect to after enrolling? How do I enroll mfa on user by user basis?

Hi @evan.gillogley,

Unfortunately the answer is it depends on how you decide to handle MFA.

If you choose “never”, MFA is entirely in your hands. You decide who has to enrol in MFA and when they have to perform the MFA challenge ceremony. This is typically handled using Auth0 Actions. You decide how to manage MFA, whether you use the enrolment workflows built into Universal Login or you build your own app to allow for self-service.

Or you can use the Adaptive MFA option and let Auth0 handle most of the work. For users not enrolled in MFA, Auth0 will fall back to their registered email address.