When using the New Universal Login Experience configured with Auth0 Guardian SMS MFA, If the user is unable to pass MFA, they will be stuck on that page and there is no way to invalidate their session to sign in with a different user. Refreshing the page in attempt to sign in with a different account will skip the username + password flow and bring you straight back to this MFA challenge. The only way for the user to unblock themselves is for them to delete their cookies.
I see two solutions to this issue:
Do not create a validated Auth0 session until the user has successfully passed both the username + password step, as well as MFA.
Have a link within the MFA dialogue that allows the user to abort the MFA flow and sign in with a different user.
Agreed. Additionally, for TOTP authentication it does not show the account for which authentication is requested, making this extra challenging. A ācancel sign inā button is sorely needed here as this scenario is impossible to handle from the application side.
The same to Account Register flow with New Universal Login Experience.
There must be option(s) for user to cancel registration/sign-in then go with another user/action to escape MFA enroll page.
Feature:
Allow users to ālogoutā or reset the login flow from the MFA screen.
Description:
During the login flow, once you submit valid credentials and are pushed into the MFA prompt, there is no way to go back and enter different credentials. This is problematic in the case that the user cannot complete MFA due to not being the account owner, loss of access to the MFA method, etc.
For example, a shared household machine may have multiple credentials saved in the browser. If you were to accidentally submit the wrong credentials, you would be entered into the MFA flow with no way to complete it or escape it short of clearing your browser data - a solution that is not overtly clear to the average user.
Hi folks, Iāve brought this up to our team and added it to the backlog, no ETA at this time.
It would be helpful to know the scope of effect for this issue. Are you seeing users blocked by this in the field? Or is this something that you are running into during the development process?
Give your users the option to switch users by adding a link in the footer to the logout endpoint. This will clear the session.
You can render the link only for the MFA page using a conditional:
{% if prompt.name contains "mfa" %}
<footer class="footer">
<ul>
<li><a href="https://{YOUR_DOMAIN}/v2/logout">Sign in with a different account</a></li>
</ul>
</footer>
{% endif %}
The provided workaround might seem like a solution, and it would be if you only have one application per tenant. Given this is MFA page is tenant wide, how do you specify a different redirect for each application? The MFA page doesnāt have any clientid, or redirect in the query params?
Could you please provide an update on this issue? Iām trying to use the default design for universal login without any custom changes. However, when I try to add the logout logic to the Customize MFA Page, it completely changes the design, and Iām unable to find a way to modify the widget design when using the Customize MFA Page.
In the action you can deny with HTML to provide a logout link with the returnTo param:
api.access.deny( <a href="https://${event.request.hostname}/v2/logout?client_id=${event.client.client_id}&returnTo=${event.request.query.redirect_uri}"> Link </a>
)