Auth0 asks for Guardian instead of any MFA provider

Help
1

Hello everybody. I have added a Rule that enforces MFA only for users belonging to specific roles. You can find the rule below.

When the rule is off, MFA is correctly being asked for nobody.
As soon as I turn the rule on, Auth0 starts asking these users in our applications to enroll in Auth0 Guardian even if they have already configured an alternative MFA provider such as Google Authenticator.

Schermata 2021-09-28 alle 10.09.17
Schermata 2021-09-28 alle 10.09.17814×1076 40.7 KB

Strangely, when these users try to login into auth0.com (because some users are also Auth0 tenant admins), in this case the rule works correctly by just asking for ANY MFA token and it does not try to enroll users in Auth0 Guardian.

Schermata 2021-09-28 alle 10.10.20
Schermata 2021-09-28 alle 10.10.20820×1100 44.1 KB 

function multifactorAuthentication(user, context, callback) {
  const assignedRoles = (context.authorization || {}).roles || [];
  const requireMfaRoles = ["god"];
  const inCommon = assignedRoles.some(r => requireMfaRoles.includes(r));
  if (inCommon) {
    // Force 2FA
    context.multifactor = {
      provider: 'any',
      allowRememberBrowser: false
    };
  }
  callback(null, user, context);
}

Attached you can find a PDF screenshot that shows the configuration of MFA.

Multifactor Authentication.pdf (343.1 KB)

Thank you in advance.
Emanuele

2

I’ve just discovered that in order to use MFAs other than Auth0 Guardian you need to have an active Professional subscription. :sweat_smile:

1 Like
3

No worries! We’ve all been there! Thanks for sharing with the rest of community!