Determine if User has Passed MFA in Social SSO / Enterprise SSO

Problem statement

Is there a way to determine whether a user has successfully completed MFA during a Social Login process, particularly in cases where Google SSO is used?

Solution

There is no way for Auth0 to determine if MFA was performed successfully on the IDP side. Some IDPs include MFA status information in their resulting ID Tokens, which could be fetched within an action by retrieving the IDP’s access token from their identities array in Auth0. Refer to Call an Identity Provider API.

This MFA status information does not appear to be available for Google. Refer to Obtain user information from the ID token for more information. Since retrieving MFA status information is not possible in the case of Google, it is possible to customize MFA to be skipped for the Google connection entirely.

The following shows a sample Action with a condition - Enforce custom MFA policy. Instead of checking the GeoIP, check for the event.connection.