Disabling MFA using Actions not working as expected

Get Help
, ,
1

Ready to post? :magnifying_glass_tilted_left: First, try searching for your answer.
Hello,

Expectation

We would like to have Adaptive MFA configured for all users with OTP and Email as enrollment options. We would like to fully disable MFA for test users.

Context:

  1. We have enabled Adaptive MFA and configured OTP and Email.
  2. We have a lot of automated test users, for whom we would like to skip any mfa authentication.
  3. We have added a Post Login action “Bypass MFA for Test user”. In said action we are trying to disable the MFA
    In images below you can see how our MFA is configured.

mfa_1
mfa_1753×850 48.7 KB

mfa_2
mfa_2858×714 46.9 KB

mfa_3
mfa_3783×268 12.6 KB

We have found several similar threads how to accomplish it:

  1. How to disable MFA using actions? - Auth0 Community
  2. How to disable mfa for a particular user - Auth0 Community
  3. Disable MFA for enterprise connection - Auth0 Community

We followed solution 1, cause it fits best in our scenario.

Actual result

No matter what we do, user is always prompted with MFA challenge.
Our post-login action looks like this

exports.onExecutePostLogin = async (event, api) => {
  api.multifactor.enable('none', {allowRememberBrowser: false});
  // api.multifactor.enable('none');
  // We tried both of options above, none worked

  (...) // logic to enable/disable mfa if needed, but we decided to try to force disabling it for everyone to see it if works
};

Please clarify if this can be achieved or we have misunderstood the documentation. By our findings this should have worked as expected. This is a huge blocker for us as we have a lot of automated tests running.

3

Hi @michal.k

Welcome to the Auth0 Community!

I have found that a different approach works reliably in my case while doing some testing, namely the steps outlined in our Knowledge Article on How to Enable MFA for a Subset of Users .
This will operate much in the other way of your approach, in that, MFA will not be required of every user, only from those that have a specific object in their app_metadata ( I would suggest setting the object in the app_medatada instead of user_metadata as outlined in the documentation, because users have Read-Only permissions to app_medatada, but Read/Write to the latter)

Alongside the Action itself, one difference to point out would be to actually make sure that Require Multi-factor Auth set to None. This is because we want MFA to be triggered according to the Action, and not out-of-the-box to everyone.

From my testing, this operated the way you intended to make it work, only users with "use_MFA" : true object in their app_metadata are prompted for MFA. The mentioned article also shows how to update the app_metadata both through the Dashboard and through Management API, in case you have a larger pool of users.

The Action that I used for testing is this:

exports.onExecutePostLogin = async (event, api) => {
if (event.user.app_metadata && event.user.app_metadata.use_mfa){
api.multifactor.enable('any', {allowRememberBrowser: false});
}
};

Hope this helped!
Gerald