Hi!
If invalid travel adaptive MFA check is enabled for a given client. Does it also impact refresh tokens?
Lets consider following scenario:
- a webapp is using access tokens, refresh token and a session cookie
- refresh token expires, client requests a new token pair
- on the identity provider backend (if adaptive MFA is enabled), is there an invalid travel check happening - to see if the last refresh token hasn’t been sent from a location, which is improbable to travel from
Or is the check only happening when the client authenticates by entering credentials in the login form? If yes, does it also impact silent logins using a session cookie?
Hi @skatanski,
Welcome to the Auth0 Community!
Using refresh tokens will not re-trigger MFA if MFA was already completed during the initial interactive login flow. However, the mfa_required error might happen if there is an Action script enforcing MFA again. (Reference: Not able to refresh token if mfa is eanbled (Error: mfa_required) - #5 by tyf)
Thanks,
Rueben
Thanks Rueben!
Your recommended reading link concerns MFA at large, however I’m mostly interested in adaptive MFA. So from what you are saying - does this mean there can be an action script written, which will perform adaptive checks (location, phone number, new devices, forbidden ip) on access and refresh tokens request? And block these requests, if those checks fail?
Alternatively - what if I do a silent login using a session cookie - can that trigger an a MFA check - or does it follow similar rules and will not trigger MFA, if MFA was previously entered?
Hi @skatanski,
Thanks for your reply.
Yes, if you need, you can use a post-login action script to perform checks on refresh token requests and block requests or re-trigger MFA accordingly.
If you decide to use silent authentication, it won’t retrigger MFA if it was already completed in the initial login. Otherwise, once again, it will throw the mfa_required error.
Best,
Rueben
Hi @rueben.tiow
Thanks a lot for your response. I have one more question, which is related to the above. In that post-login action script, can I also terminate user’s session (user who’s related to the refresh token)?