Custom Action to Decide MFA Frequency for Resource Owner Flows

Overview

This article explains how to control the frequency of Multifactor Authentication (MFA), or how long a user can log in before being prompted for MFA when using the Resource Owner Password flow or an Embedded login page.

Applies To

  • Resource Owner Password Flow
  • Embedded Login Page
  • Remember me

Solution

For an embedded login/resource owner password flow, there is no Auth0 session cookie as the request to /oauth/token is made outside of the user’s browser.

  • This means there can be no MFA cookies, and session details in Actions are unavailable in this flow.

It is recommended to use Refresh Tokens if they can be stored securely.

These could be set to have an expiration of any length of time, requiring the user to authenticate again to get a new refresh token after the refresh token expired:

Additional logic is required in the Action that triggers MFA normally to suppress it for refresh token flows so the user can avoid being challenged for MFA when using the refresh token, for example:

if(event.transactaction.protocol === "oauth2-refresh-token") {
   //Don't trigger MFA for refresh token flows and exit early
   return;
} else {
   //Trigger MFA as normal for other flows such as Resource Owner
   api.multifactor.enable('any')
}

For details on controlling MFA via an Action for Universal Login Flows, see Custom Action to Decide MFA Frequency for Universal Login Flows.