Last Updated: Sep 4, 2024
Overview
Tenant admins will receive an Auth0 email notification, “Changes to when Contextual MFA Challenges are Enforced,” announcing the following new Multifactor (MFA) behavior.
As of June 17, 2024, MFA challenges will always be enforced when requesting the ‘/mfa’ audience
Testing this new configuration is available by opt-in to the forthcoming change.
To opt-in:
- Go to Auth0 Dashboard > Tenant Settings > Advanced.
- Scroll down to the Migrations section of the page.
- The “Allow unchallenged MFA API access” control is enabled by default. This means that the behavior of the tenant remains in the insecure mode. To opt-in to the new, secure behavior, change the control setting to disabled.
However, some tenants might not have this tenant configuration yet.
Applies To
- Multifactor Authentication (MFA)
Solution
If the flag is not available, please reach out to Auth0 Support.
With the “Allow unchallenged MFA API access “ flag disabled:
- If the user is enrolled in a factor, and the MFA API is specified as the audience, they will be challenged for their enrolled factor.
- If the user is not enrolled in an MFA factor, they will not be challenged with MFA.