Can I trigger MFA in Auth0 without redirecting to Auth0’s MFA page

Get Help
1

Hi,
I am working on a project where I need to trigger MFA for a user but without redirecting them to Auth0’s default MFA screen.

My requirements:

  • I want to fully customize the MFA UI and host it on my own domain.
  • I do not want the user to see Auth0’s MFA challenge page.
  • I want to handle OTP input and verification completely via API calls from my backend/frontend.

What I tried:

  • Using /mfa/challenge API requires a mfa_token, which seems to be generated only after Auth0’s login flow redirects to the MFA page.
  • I tried obtaining a mfa_token directly via Management API or Resource Owner Password Grant, but it seems restricted.

My question:
Is there a way to:

  1. Initiate MFA programmatically via API without redirecting the user to Auth0’s hosted MFA challenge screen?
  2. Obtain a mfa_token directly after user authentication, so I can call /mfa/challenge and /mfa/verify on my own custom screen?

If this is not possible, please confirm so I can adjust my architecture accordingly.

2

Hi @nihalm5930
Welcome to the Auth0 Community! I have moved this question to our Get Help category so one of our community engineers can assist you. For additional help in the future, please search for answers first, and if you need further assistance, please post in our Get Help category, as our community engineers track incoming inquiries.

Thanks,
Christina

1 Like
4

Hi @nihalm5930,

Welcome to the Auth0 Community!

You desired use case is definitely achievable through the Use of the MFA API. To call the MFA API to manage enrollments you first need to Get MFA API access tokens. This documentation specifically states about your mentioned scenario:

If you are building a user interface to manage authentication factors, you’ll need to obtain a token you can use for the MFA API.

You will have to follow the steps mentioned in the Authenticate Using the Resource Owner Password Flow with MFA documentation, so this would look similar to:

  1. Authenticate the User. After the user enters their credentials, the response will include the mfa_token:
{
  "error": "mfa_required",
  "error_description": "Multifactor authentication required",
  "mfa_token": "YOUR_MFA_TOKEN"
}
  1. Initiate the MFA Challenge. On your custom MFA screen, use the obtained mfa_token to request the challenge.
  2. Verify the MFA Code. Send a final request to the /oauth/token endpoint to verify the code and get the final tokens.

I would also mention that using the ROPG flow is highly discouraged, so you can also check - Avoid Common Issues with Resource Owner Password Flow and Attack Protection.

In order for you to send the users to your customized MFA page, you can use the Redirect with Actions extensibility, which allows you to redirect an user after they have authenticated with the user and password, but before MFA was triggered or tokens were issued. You can also check the schema for Redirect Actions for Partners for a better understanding of the flow.

I hope this helps!
Kind regards,
Remus

5

I’m excited to join and understand the MFA things

6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.