Response from Auth0 support ticket:
The approach shown on https://auth0.com/docs/secure/multi-factor-authentication/authenticate-using-ropg-flow-with-mfa/enroll-and-challenge-otp-authenticator, as you’ve already correctly understood, is for building your own UI. It will still use our Authentication pipeline as usual.
" How would I generate this MFA_TOKEN post login? I don’t want the user to re-enter their credentials again or re-confirm via SSO. "
MFA only works as an extensibility endpoint during the Authentication process. As far as I know, you cannot separate MFA from the authentication process. This means that you can, for example, call the /authorize endpoint to protect a certain page and based on your criteria, challenge the user via MFA or not. This does not mean that the user will be forced to enter credentials again, but the user must enter our Authentication pipeline so their current session can be evaluated before any MFA challenge can be presented.
I don’t think the following will completely meet your requirements, but have you considered Adaptive MFA? Again, this solution would work on an Authentication scenario too and is not supported for all use cases. We don’t offer MFA outside our authentication pipeline.
" Another approach would be that we confirm the MFA (phone number) ourselves via a custom built service. Is there anyway in retrieving the un-masked phone number? The mfa/authenticator API only returns masked phone numbers. "
There’s no way to retrieve the full phone number after it’s already been registered as an MFA factor. As a workaround, you could do one of two things:
- Use the MFA API to build your own MFA flow and UI, which would allow you to collect the phone number and add it to the auth0 profile or store it in your DB.
- You can collect the phone number as an additional field during the sign-up process.