Custom MFA Flow: Auth0 Universal Login Still Shows Built-in MFA Prompt After Enrollment

Get Help
,
1

Hello Auth0 Support Team,

We are implementing a custom MFA flow in our application using the Auth0 MFA API (SMS factor). The goal is to use our own UI for both MFA enrollment and MFA verification, while still using Universal Login (UL) for primary authentication.

However, we are experiencing a blocking issue:
Even after disabling built-in MFA in the Dashboard, Universal Login continues to show Auth0’s default MFA challenge screen whenever a user who is already enrolled logs in.

This results in a double MFA prompt:

  1. User logs in through Universal Login.

  2. Auth0 detects existing MFA enrollment → Auth0’s MFA UI appears (unexpected).

  3. After that completes, our app still triggers our own MFA flow (expected).

  4. Users end up having to complete MFA twice, which is unusable.

We want the following experience:

  1. Auth0 should not show any MFA UI at all.
  2. We want full control: Enrollment + Challenge handled exclusively by our custom UI using the MFA API.

Here is the following configuration:

  1. Universal Login: Enabled (new UL)
  2. MFA → Require Multi-factor Auth: set to Never
    (so Auth0 should not require MFA automatically)
  3. Using Auth0 MFA API (/mfa/challenge, /oauth/token with mfa-otp grant)
  4. Using SMS only (no Guardian app)
  5. Using our own custom UI for enrollment & challenge
  6. No MFA Rules enabled
  7. No Actions calling api.multifactor.enable() or challengeWith()

We suspect one of the following may be happening:

  1. Auth0 automatically triggers the MFA challenge UI whenever a user has an enrolled factor, regardless of the “Never” policy — unless the application uses only API-based login (ROPG).

  2. There may be an undocumented condition inside Universal Login that automatically enforces MFA for enrolled users, even when the global MFA requirement is disabled.

  3. Perhaps requesting certain scopes/audience values during the /authorize request implicitly triggers MFA enforcement during UL.

  4. There may be a specific setting or Action callback required to fully bypass Auth0’s built-in MFA UI.

We want to confirm whether it is officially supported to use:

  • Universal Login for primary authentication,

  • while using a fully custom MFA UI (no Auth0 MFA pages at all),

  • via the MFA API for both enrollment and verification.

If so, we need guidance on the correct configuration to ensure Auth0 never shows its own MFA screen once a user is enrolled.

Could you please help us confirm:

  1. Whether Auth0 can fully bypass the built-in MFA challenge UI in UL when a user is already enrolled.

  2. Whether any additional configuration, undocumented flags, Actions settings, or Auth0-side behavior might be causing UL to enforce MFA.

  3. What the recommended implementation pattern is for:

    • UL → redirect to our custom MFA UI

    • custom challenge → resume auth transaction

    • without Auth0’s UI appearing during login

We are happy to provide logs, HAR files, or configuration screenshots if needed.

Thank you in advance for your help.

3

Hi @kolawole

Welcome to the Auth0 Community!

As long as the MFA is set to Never or not enforced through a PostLogin Action, it should not trigger. The possible causes for this that I can think of would be:

  • You have enabled Attack Protection and the login is flagged as risky. Do you use Attack protection by any chance? If yes, you an try disabling Suspicious IP Throttling and Bot Detection to see if there are any changes in the behaviour.
  • The Authentication Requests asks for the mfa to be triggered because of the acr_values send by the Auth0 SDK to the /authorize request. It should look something like acr_values=http://schemas.openid.net/pape/policies/2007/06/multi-factor

You can also try to use api.multifactor.enable("none"); at the beginning of an PostLogin Action to try to bypass it regardless of any settings.

Could you provide me through s DM the tenant name so I can take a look at the configuration myself? Otherwise, I would recommend to submit a support ticket on the matter since I can see you are part of an enterprise agreement since we cannot work with HAR files directly.

Looking forward to your reply!

Kind Regards,
Nik

4

Hi again @kolawole

I am sorry about the delayed response to your inquiry!

As far as I have checked on the tenant, as you have stated, it appears that your MFA policy is indeed set to None and you have enabled the option to Customize MFA using Actions.

As far as I have checked in your PostLogin Action Triggers, you appear to have an action named MFA in which you trigger MFA by using api.multifactor.enable('any');.

Could you unbid that specific Action and let me know if that solves the double MFA issue you are experiencing?

Kind Regards,
Nik