When using the New Universal Login Experience configured with Auth0 Guardian SMS MFA, If the user is unable to pass MFA, they will be stuck on that page and there is no way to invalidate their session to sign in with a different user. Refreshing the page in attempt to sign in with a different account will skip the username + password flow and bring you straight back to this MFA challenge. The only way for the user to unblock themselves is for them to delete their cookies.
I see two solutions to this issue:
- Do not create a validated Auth0 session until the user has successfully passed both the username + password step, as well as MFA.
- Have a link within the MFA dialogue that allows the user to abort the MFA flow and sign in with a different user.