Custom MFA Enrollment and WebAuthn issues

Overview

This article details how to handle users that have enrolled WebAuthn first and can no longer access the device.

Applies To

  • Custom MFA Selection
  • MFA Actions Enrollment
  • WebAuthn

Solution

Auth0 enforces that an existing factor is challenged before being able to use enrollWith() for another MFA type to avoid a malicious agent from taking over the account and providing their own compromised MFA for future logins, potentially locking the legitimate user out of their own account. This does however mean when using the Custom MFA Enrollment features, that allowing a user to enroll in WebAuthn first could lead to the user losing access to their account when they are away from their laptop. For example, the biometric scanner is on.

It is therefore recommend that a factor such as OTP is set up prior to WebAuthn / biometrics, to allow a user to use a fallback factor such as OTP from their phone which is more likely to be accessible at any given time. This is how the non-customized MFA feature operates in Actions (i.e. using api.multifactor.enable('any')), by enrolling biometrics after another factor has been enrolled for backup. See Multi-Factor Authentication for additional details.