I’ve set up MFA using universal login, I’m able to enroll and challenge the users MFA via the out of the box UI when logging into the application.
However, I’m unsure how I would challenge a user after they’ve logged in. For example they’re attempting to change sensitive data which we deem needs MFA confirmation.
1 - Get MFA_TOKEN via ROPC
2 - Challenge via mfa/challenge
3 - Confirm challenge via oauth/token using the code sent to user and MFA_TOKEN
How would I generate this MFA_TOKEN post login? I don’t want the user to re-enter their credentials again. There’s also no mention of retrieving the MFA_TOKEN for SSO users.
Another approach would be that we confirm the MFA (phone number) ourselves via a custom built service. Is there anyway in retrieving the un-masked phone number? The mfa/authenticator API only returns masked phone numbers.
" How would I generate this MFA_TOKEN post login? I don’t want the user to re-enter their credentials again or re-confirm via SSO. "
MFA only works as an extensibility endpoint during the Authentication process. As far as I know, you cannot separate MFA from the authentication process. This means that you can, for example, call the /authorize endpoint to protect a certain page and based on your criteria, challenge the user via MFA or not. This does not mean that the user will be forced to enter credentials again, but the user must enter our Authentication pipeline so their current session can be evaluated before any MFA challenge can be presented.
I don’t think the following will completely meet your requirements, but have you considered Adaptive MFA? Again, this solution would work on an Authentication scenario too and is not supported for all use cases. We don’t offer MFA outside our authentication pipeline.
" Another approach would be that we confirm the MFA (phone number) ourselves via a custom built service. Is there anyway in retrieving the un-masked phone number? The mfa/authenticator API only returns masked phone numbers. "
There’s no way to retrieve the full phone number after it’s already been registered as an MFA factor. As a workaround, you could do one of two things:
Use the MFA API to build your own MFA flow and UI, which would allow you to collect the phone number and add it to the auth0 profile or store it in your DB.
You can collect the phone number as an additional field during the sign-up process.