April 29 Auth0 Community Ask Me Anything: Multi-Factor Authentication (MFA)

We’re excited to invite you to our next interactive Auth0 Community Ask Me Anything session on April 29.

This is your chance to learn how to strengthen your security posture, reduce the risk of phishing and credential theft, meet compliance requirements, and more. Whether you’re new to multi-factor authentication (MFA) or looking to optimize your current setup, this session will help you understand the value of MFA and how to tailor it to fit your needs.

How it Works
From April 10 to April 28, 2025, Auth0 developers, customers, and community members are invited to submit their MFA-related questions right here in the Auth0 Community. Just click “Reply” in this thread to join the discussion.

On April 29, from 9:00 AM to 11:00 AM PST, our product experts will be online and actively responding with detailed written answers to all questions submitted during the two-week period.

:tada: As a bonus, everyone who participates will earn points and a special community badge!

What You’ll Learn

  • What MFA is, how it works, and why it matters

  • Best practices for implementing MFA in your apps or platforms

  • How to balance strong security with a smooth user experience

  • Ways to customize MFA for different user types or risk levels

  • Tips for selecting the right authentication methods like biometrics, SMS, or authenticator apps

  • Real-world examples of how others have successfully rolled out MFA

  • Answers to your specific technical, strategic, or implementation questions

Submit your questions by clicking the “Reply” button below anytime between today, April 10, and April 28, 2025.

Featured Expert
Nithin Moorthy, Senior Product Manager

4 Likes

When do we need MFA? Social Login is always enough?

1 Like

I’m trying to implement a more controlled MFA flow in a Post-Login Action, specifically avoiding email as a fallback and focusing on Phone, OTP, and WebAuthn Platform. I’m using enrollWith and challengeWith for this. My challenge lies in how to conditionally trigger a WebAuthn Platform (biometrics) challenge. I only want to prompt the user for biometric verification if their current device/browser has already been enrolled. If a user who enrolled biometrics on one device logs in on a new, unenrolled device, I don’t want to present the WebAuthn challenge. How can I detect existing WebAuthn Platform enrollment on the current device within a Post-Login Action to enable this conditional challenge?

Furthermore, I’m seeing an unexpected behavior with progressive enrollment. If a user enrolls in WebAuthn on macOS Safari and then logs into iOS Safari, they are prompted to enroll again, which then fails with an error. This issue reinforces the need for a mechanism within the Post-Login Action to accurately identify device-specific WebAuthn enrollments. Any insights on how to achieve both the conditional challenge and prevent this progressive enrollment error?

1 Like

How can we monitor our Adaptive MFA implementation metrics to ensure success and gauge customer friction?

  • How many users were prompted for MFA?
  • Why was that user prompted?
  • Tracking attempts/failed logins?
    We would want to know these things to determine if we want to build our own custom MFA trigger, rather than using Auth0’s logic. Thank you.
2 Likes
  1. How to enable email factor on MFA enrollment screen? I have already configured SendGrid but it is not visible while enrollment.
  2. Alternatively, how can we configure email factor for the user who does not provide email during signup?

I have a WEB application in react we configure ID Token Expiration Maximum ID Token Lifetime in 30 secods but I saw that the sesion always finched in 24 hours. How can aument this time of the session life?