We are working with organizations in Auth0, and we have some security requirements from our customers to use MFA.
So we enabled MFA policies and OTP, but it turns out that some customers also have MFA with their SSO, so they would like that have MFA disabled on our side, since it’s redundant for them. Some other customers also want to use SMS rather than OTP for MFA.
Is it possible with Auth0 to have different MFA policies by organization ? If yes, where would be that documentation? I couldn’t find anything.
Sunny, my team is going to attempt to have different MFA policies by customer with the following strategy. We are going to add metadata to our enterprise connections that indicates if that connection enforces MFA. Then when a user logs in we check the connection metadata in a rule, if the metadata indicates MFA is enabled on the enterprise connection then we set:
context.multifactor = {
provider: ‘none’
};
Which would disable MFA.
Otherwise we could set
context.multifactor = {
provider: ‘any’
};
To force MFA, or just let adaptive MFA kick in for high risk logins.