Dynamically disable MFA when using Passkeys

Ready to post? First, try searching for your answer.
Hi all,

we’re using passkeys and SMS based MFA.

For some users (test users etc.) we need to be able to dynamically disable MFA.

We use and action and evaluate a property called mfa_enabled in the user’s app_metadata:

exports.onExecutePostLogin = async (event, api) => {
  const mfaEnabled = event.user.app_metadata?.mfa_enabled;

  if (mfaEnabled === false) {
    api.multifactor.enable("none");
    return;
  }
}

This approach works fine for us in other projects.

Now, combining it with passkeys we’re running into an issue: The MFA is skipped as expected but when creating a passkey, the MFA enrollment process is triggered on the first time.

If the user is not creating a passkey and going through the login again for the second time the MFA enrollment process is not started.

We’d expect that api.multifactor.enable("none"); would completely disable MFA (challenge plus enrollment).

Can you help? Thanks!

Hi @alex.fechner,

Welcome to the Auth0 Community!

Firstly, have you made sure you have disabled MFA in your tenant settings under Dashboard > Security > Multi-factor Auth?

If not, this setting will ensure that MFA is disabled, and only your post-login action script can be used to trigger MFA, which will override that setting.

As for your post-login script, I recommend referring to this example which shows you to skip MFA for a user than has authenticated with a passkey.

Thanks,
Rueben

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.