Enable “Allow unchallenged MFA API access” in Tenants


Tenant admins will receive an Auth0 email notification “Changes to when Contextual MFA Challenges are Enforced” announcing the following new Multifactor (MFA) behavior.

As of June 17, 2024, MFA challenges will always be enforced when requesting the ‘/mfa’ audience

Testing this new configuration is available by opt-in to the forthcoming change.

To opt-in:

  1. Go to Auth0 Dashboard > Tenant Settings > Advanced.
  2. Scroll down to the Migrations section of the page.
  3. The “Allow unchallenged MFA API access” control is enabled by default. This means that the behavior of the tenant remains in the insecure mode. To opt-in to the new, secure behavior, change the control setting to disabled.

However, some tenants might not have this tenant configuration yet.


If the flag is not available, please reach out to Auth0 Support.