Problem statement
It is not currently possible to configure the MFA OTP transaction timeout which is set to 5 minutes. Are there any strategies to handle this scenario gracefully and reduce potential end-user friction?
Solution
Overview:
The Auth0 MFA transaction timeout has a 5-minute limit between providing the first and second factors. For example, after the user logs in with a password, they have 5 minutes to input the OTP that is sent via SMS to their mobile number. After 5 minutes, the MFA transaction expires and the user must start the whole login process over again.
After the MFA transaction expires, if the user tries to input OTP and clicks the Continue button, they will be redirected to either the Auth0 default error page (if no custom error page is configured) or the configured custom error page, which has no means (e.g. a button or a link) for the user to restart the login process, which causes friction in the user experience.
Workaround:
-
When Auth0 redirects the user to the error page due to MFA transaction expiration, the error information is passed to the error page in the query parameters. For this specific scenario, you can expect the ‘error’ and ‘error_description’ parameters as below:
error=invalid_request&error_description=The transaction has expired -
On the error page, you can detect the above error and implement an automatic redirect to an application login URL.
-
On the page of the application login URL, choose to either restart the login process automatically or display a button to let the user click to start over. This page can also display some description of the situation so the user is informed of what happened and thus provide a better end-user experience.