DUO MFA asking users to re-enroll even though they already are registered with DUO

Problem Statement

We noticed that DUO MFA ask users to re-enroll even though they already registered with DUO. The username provided to DUO is a base64 token, so DUO thinks the request is from a new user.
We did not configure what info gets sent to DUO during MFA.


By default, Auth0 uses the following logic to generate a user’s username in Duo:

  1. Take the Auth0 user_id.
  2. Encode it in Base64.
  3. Transform it to lowercase.

In your case, the result does not match existing usernames in DUO for your users.


You can specify the username value within the rule you have set up to enable DUO MFA. By adding the following to your rule, you can set the username to be any part of the user object:

function (user, context, callback) {
  context.multifactor = {
    provider: 'duo',
    allowRememberBrowser: false,
    username: user.email

  callback(null, user, context);