Hi Auth0 team,
We’re implementing a flexible MFA flow using Auth0 Actions, and we’ve encountered a scenario we’re unsure how to support.
Current Behavior:
- If a user is enrolled with SMS MFA, they’re challenged via SMS during login and proceed after successfully entering the code.
Desired Behavior:
After the SMS MFA challenge is completed successfully, we would like to:
- Prompt the user with a message like:
“Would you like to enroll in a more secure method, such as an Authenticator App (OTP), Push Notification, etc.?” - If they click Continue, direct them enrollment page which contains a list of methods OTP, Push Notification, etc. And depends on what they click, the enrollment page displays
- If they decline, complete the login process as usual.
What We’ve Tried:
- We’re currently using a
post-loginAction, but from what we understand, once MFA challenge succeeds, the login flow completes. - We haven’t found a way to intercept or redirect after a successful MFA step to optionally trigger OTP/Push Notification enrollment.
Question:
Is there a supported way within Auth0 to:
- Present a post-MFA prompt (but before redirecting to the app),
- Or, redirect the user to an OTP enrollment screen after login (but before sending the token to the app)?
If not natively supported, could this be achieved via:
- A hosted page redirect in the Action?
- A custom login flow or custom domain behavior?
- Or is this something best handled after login, within our own app, using the Management API?
Thanks in advance for your guidance!
Dy