Custom MFA Flow with Google Authenticator - Avoiding Universal Login Redirect

sivaram.t · April 8, 2025, 7:40am

Context

We’re implementing MFA in our React application using Auth0. Our requirements are:

MFA should be required only for specific users (based on a flag in user metadata)
Google Authenticator is the only allowed MFA method
We want to maintain our custom UI for both MFA enrollment and verification
Using Auth0’s existing authentication flow with auth0-js WebAuth.login

Post login action

exports.onExecutePostLogin = async (event, api) => {
  if (event.user.user_metadata?.mfa_required) {
    api.multifactor.enable('google-authenticator');
  }
};

The Problem

When api.multifactor.enable() is called, it automatically redirects to Auth0’s Universal Login page for MFA enrollment/verification. We want to avoid this redirect and handle the MFA flow within our application using our own UI components.

Questions

Is there a way to use api.multifactor.enable() without triggering the Universal Login redirect?
If not, what’s the recommended approach for implementing a custom MFA UI while maintaining Auth0’s security standards?
Is it possible to use Auth0’s MFA APIs directly while still maintaining the security of the authentication flow?

Our Ideal Flow

User logs in with username/password
Check if MFA is required
If required and not enrolled:

Show our custom QR code enrollment UI
Use Auth0 APIs to complete enrollment

If required and enrolled:

Show our custom OTP input UI
Verify OTP using Auth0 APIs

Complete authentication

Any guidance on achieving this while maintaining security best practices would be greatly appreciated. We’re open to alternative approaches that might better fit Auth0’s architecture.

dawid.matuszczyk · April 30, 2025, 9:40pm

Hi @sivaram.t

Welcome to the Auth0 Community!

Thank you for posting your question. Due to the Actions expected behaviour, it will always redirect you to the Universal Login if you use the api.multifactor.enable(). I would encourage you to check the recommended Universal Login solution with Universal Login Page Templates Customization → https://auth0.com/docs/customize/login-pages/universal-login/customize-templates or the recently released Advanced Customization for Universal Login, which is in early access currently and can be a subject to the changes → https://auth0.com/docs/customize/login-pages/advanced-customizations

If you want to follow with your custom UI for MFA enrollment, you can check this doc → https://auth0.com/docs/secure/multi-factor-authentication/authenticate-using-ropg-flow-with-mfa and https://auth0.com/docs/secure/multi-factor-authentication/authenticate-using-ropg-flow-with-mfa/enroll-and-challenge-push-authenticators, which explain how to use the MFA from your application with ROPG flow, but you can also use regular /authorize flow by adding an MFA API audience.

Thanks
Dawid

Topic		Replies	Views
How to Enable Google Authenticator MFA in Auth0-Lock for React.js? Get Help login-experience , login-prompt-new-experience	4	27	March 26, 2025
Can we use context.redirect after context.multifactor? Get Help mfa , mfa-api	0	990	April 27, 2023
Enrol user through MFA after signup Get Help react	4	2717	December 7, 2021
In-App management of MFA with auth0-spa-js Get Help mfa , spa , react , otp , auth0-spa-js	0	3937	July 17, 2019
React auth0-js MFA Get Help mfa , react	4	5781	January 31, 2019