We’re excited to invite you to our next interactive Auth0 Community Ask Me Anything session on April 29.
This is your chance to learn how to strengthen your security posture, reduce the risk of phishing and credential theft, meet compliance requirements, and more. Whether you’re new to multi-factor authentication (MFA) or looking to optimize your current setup, this session will help you understand the value of MFA and how to tailor it to fit your needs.
How it Works
From April 10 to April 28, 2025, Auth0 developers, customers, and community members are invited to submit their MFA-related questions right here in the Auth0 Community. Just click “Reply” in this thread to join the discussion.
On April 29, from 9:00 AM to 11:00 AM PST, our product experts will be online and actively responding with detailed written answers to all questions submitted during the two-week period.
As a bonus, everyone who participates will earn points and a special community badge!
What You’ll Learn
What MFA is, how it works, and why it matters
Best practices for implementing MFA in your apps or platforms
How to balance strong security with a smooth user experience
Ways to customize MFA for different user types or risk levels
Tips for selecting the right authentication methods like biometrics, SMS, or authenticator apps
Real-world examples of how others have successfully rolled out MFA
Answers to your specific technical, strategic, or implementation questions
Submit your questions by clicking the “Reply” button below anytime between today, April 10, and April 28, 2025.
Featured Expert
Nithin Moorthy, Senior Product Manager
I’m trying to implement a more controlled MFA flow in a Post-Login Action, specifically avoiding email as a fallback and focusing on Phone, OTP, and WebAuthn Platform. I’m using enrollWith and challengeWith for this. My challenge lies in how to conditionally trigger a WebAuthn Platform (biometrics) challenge. I only want to prompt the user for biometric verification if their current device/browser has already been enrolled. If a user who enrolled biometrics on one device logs in on a new, unenrolled device, I don’t want to present the WebAuthn challenge. How can I detect existing WebAuthn Platform enrollment on the current device within a Post-Login Action to enable this conditional challenge?
Furthermore, I’m seeing an unexpected behavior with progressive enrollment. If a user enrolls in WebAuthn on macOS Safari and then logs into iOS Safari, they are prompted to enroll again, which then fails with an error. This issue reinforces the need for a mechanism within the Post-Login Action to accurately identify device-specific WebAuthn enrollments. Any insights on how to achieve both the conditional challenge and prevent this progressive enrollment error?
How can we monitor our Adaptive MFA implementation metrics to ensure success and gauge customer friction?
How many users were prompted for MFA?
Why was that user prompted?
Tracking attempts/failed logins?
We would want to know these things to determine if we want to build our own custom MFA trigger, rather than using Auth0’s logic. Thank you.
I have a WEB application in react we configure ID Token Expiration Maximum ID Token Lifetime in 30 secods but I saw that the sesion always finched in 24 hours. How can aument this time of the session life?