Behaviour of Require MFA Once Per Session rule/action on native apps

It looks like MFA is triggered only once in native apps and users are never challenged again when they logout and come back. Even uninstalling and re-installing of apps does not trigger MFA.

We have our own custom rule to trigger MFA every time user logs in (Except silent auth and refresh token exchange) which is inspired by this one.
As per the docs, we do trigger mfa by setting allowRememberBrowser to false and use classic universal login page with Authorization code flow with PKCE.

With that implementation in place, we have no issues in our SPAs. The user is always prompted for MFA but due to some reason for native apps this is not the case.

For native apps, the below line of code always returns the name as ‘mfa’ and the timestamp when I first used mfa to login

const completedMfa = !!authMethods.find((method) => === 'mfa');

What am I missing here? How is it still remembering the mfa in-spite of passing allowRememberBrowser as false. Am I missing any other configuration or if this is how it works then I didn’t find any explanation about it in the official docs

It seems that the behavior you are experiencing in native apps is due to the way refresh tokens and session management work in Auth0. When MFA is completed during the initial login, the refresh token is issued with the MFA status. Subsequent logins using the same refresh token will not trigger MFA again, even if the user logs out or reinstalls the app.

To overcome this behavior and enforce MFA every time the user logs in, you can consider the following options:

  1. Implement a custom solution in your app to clear the refresh token upon logout or uninstallation/reinstallation. This will ensure that a new refresh token is generated for each login session, triggering MFA again.

  2. Instead of relying solely on the MFA status stored in the refresh token, you can include an additional custom claim in the user’s ID token that indicates whether MFA was completed during the current login session. You can achieve this by using a custom rule in Auth0.

  3. Implement a custom API endpoint that clears the refresh token on logout or uninstallation/reinstallation. When the user performs these actions, make a request to this endpoint to invalidate the existing refresh token.

By implementing one of these approaches, you can enforce MFA every time the user logs in, ensuring a higher level of security in your native apps.