We’re working on integrating our system with Auth0, and our design makes use of the organizations feature. I was wondering if there was a way to limit which MFA factors an organization could have available. I know that the Actions api object allows us to set the mfa provider, but that doesn’t really do what I’m looking for.
Setting the provider to ‘guardian’ would allow the user to use Push, SMS, or OTP.
What I am hoping for is a way to control whether they can use SMS on a per organization basis. The reasoning is that SMS costs us on our Twilio account, so we want to only opt in specific customers.
Is there a way to do this, or plans to implement something similar?
But what I am asking for is a way to control which of these factors are available based on which organization is being used to log in.
Something like api.multifactor.enable('any', {factors: ['otp', 'push']})
This is now possible - you can customize the MFA factors that are required for end-users in a variety of different scenarios. See this example which demonstrates how this can be done on a per-Organization basis using Organization metadata.