Custom MFA Flow with Google Authenticator - Avoiding Universal Login Redirect

Context

We’re implementing MFA in our React application using Auth0. Our requirements are:

  • MFA should be required only for specific users (based on a flag in user metadata)
  • Google Authenticator is the only allowed MFA method
  • We want to maintain our custom UI for both MFA enrollment and verification
  • Using Auth0’s existing authentication flow with auth0-js WebAuth.login

Post login action

exports.onExecutePostLogin = async (event, api) => {
  if (event.user.user_metadata?.mfa_required) {
    api.multifactor.enable('google-authenticator');
  }
};

The Problem

When api.multifactor.enable() is called, it automatically redirects to Auth0’s Universal Login page for MFA enrollment/verification. We want to avoid this redirect and handle the MFA flow within our application using our own UI components.

Questions

  • Is there a way to use api.multifactor.enable() without triggering the Universal Login redirect?
  • If not, what’s the recommended approach for implementing a custom MFA UI while maintaining Auth0’s security standards?
  • Is it possible to use Auth0’s MFA APIs directly while still maintaining the security of the authentication flow?

Our Ideal Flow

  1. User logs in with username/password
  2. Check if MFA is required
  3. If required and not enrolled:
  • Show our custom QR code enrollment UI
  • Use Auth0 APIs to complete enrollment
  1. If required and enrolled:
  • Show our custom OTP input UI
  • Verify OTP using Auth0 APIs
  1. Complete authentication

Any guidance on achieving this while maintaining security best practices would be greatly appreciated. We’re open to alternative approaches that might better fit Auth0’s architecture.

Hi @sivaram.t

Welcome to the Auth0 Community!

Thank you for posting your question. Due to the Actions expected behaviour, it will always redirect you to the Universal Login if you use the api.multifactor.enable(). I would encourage you to check the recommended Universal Login solution with Universal Login Page Templates Customization → https://auth0.com/docs/customize/login-pages/universal-login/customize-templates or the recently released Advanced Customization for Universal Login, which is in early access currently and can be a subject to the changes → https://auth0.com/docs/customize/login-pages/advanced-customizations

If you want to follow with your custom UI for MFA enrollment, you can check this doc → https://auth0.com/docs/secure/multi-factor-authentication/authenticate-using-ropg-flow-with-mfa and https://auth0.com/docs/secure/multi-factor-authentication/authenticate-using-ropg-flow-with-mfa/enroll-and-challenge-push-authenticators, which explain how to use the MFA from your application with ROPG flow, but you can also use regular /authorize flow by adding an MFA API audience.

Thanks
Dawid