Conditional MFA Not Working

I am trying to implement some conditional MFA by following this article https://auth0.com/docs/mfa/customize-mfa-user-pages?_ga=2.236822529.1008315000.1600780779-173653597.1582123480#change-the-frequency-of-authentication-requests

The idea is that users will only be asked to perform MFA once per session rather than every time the JWT expires. I have a JWT expiry of 15 minutes. My client is an SPA.

I have a rule which checks if MFA has been performed for the current session and if not requests it by setting the context.multifactor property. My rule looks like this:

  function multifactorAuthentication(user, context, callback) {
 
  const completedMfa = !!context.authentication.methods.find(
    (method) => method.name === 'mfa'
  );
  
  console.log('multifactorAuthentication - MFA completed was:', completedMfa);
 
  if (!completedMfa) {
    console.log('Request MFA');
    context.multifactor = {
      provider: 'any',
      allowRememberBrowser: false
    };
  }
 
  callback(null, user, context);
}

By looking at the real time logs, I can see that the first time the user logs in, the completedMfa flag is set to false and context.multifactor object is initialised.

When the JWT has expired, the SPA code calls checkSession() which results in my rule being executed again. This time the completedMfa flag is true and the conditional block setting up MFA is skipped. However, checkSession is returning an error saying login required. It appears that my script is not having any affect on whether MFA is required or not. What am I missing here?

From a configuration perspective MFA can be triggered from rules or through the Require Multi-factor Auth setting available in the MFA dashboard section. It’s a long shot, but have you already confirmed that this other settings is not configured to always require MFA?

Well that was a simple fix. I’ve set the MFA to never in the dashboard and now the conditional stuff works. Thanks very much!!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.