Different MFA policies by organization

Hello,

We are working with organizations in Auth0, and we have some security requirements from our customers to use MFA.

So we enabled MFA policies and OTP, but it turns out that some customers also have MFA with their SSO, so they would like that have MFA disabled on our side, since it’s redundant for them. Some other customers also want to use SMS rather than OTP for MFA.

Is it possible with Auth0 to have different MFA policies by organization ? If yes, where would be that documentation? I couldn’t find anything.

If it’s not possible, is there an alternative?

Hey there! Don’t know that but let me reach out to appropriate team to find out more about it!

Unfortunately it’s not possible currently. I would highly encourage you to create a feedback card in our Feedback category:

Done: For those who are looking to do that as well, I invite you to vote here: Feature-request: Different MFA policies by organization

Perfect! Thanks a lot!

Sunny, my team is going to attempt to have different MFA policies by customer with the following strategy. We are going to add metadata to our enterprise connections that indicates if that connection enforces MFA. Then when a user logs in we check the connection metadata in a rule, if the metadata indicates MFA is enabled on the enterprise connection then we set:

 context.multifactor = { 
      provider: ‘none’
};

Which would disable MFA.

Otherwise we could set

 context.multifactor = { 
      provider: ‘any’
};

To force MFA, or just let adaptive MFA kick in for high risk logins.

Interesting. I was not aware you could control MFA provider by rules (we use actions, but I guess it can do the same).

Let me know if it works, but that can be a good workaround for now. I’ll try that as well when I get time.

Thanks a lot!

Thanks @KSchmi for sharing that with the rest!