Enrolling in MFA after initial sign-up

Hello,

I’ve implemented a couple of applications & APIs as a prototype for integrating with Auth0. Part of that prototype includes enrolling in & using MFA. The MFA works as follows:

  1. User logs in and lands on their dashboard
  2. Dashboard contains a button to initiate MFA enrollment
  3. Management API (via my custom API layer) is used to add an mfa flag to the profile’s user_metadata
  4. Browser is sent back through the login flow (using the JS SDK)
  5. Rule detects the mfa flag and sets the context to require a multi-factor challenge
  6. User is directed to the MFA page and given the opportunity to enroll

This works just fine if the user attempts to enroll after a straight login. However, if the user attempts to enroll immediately after signing up, they are prompted for their credentials again. Is there a way to make both scenarios work without requiring the user to log in again? Conversely, can we always require a re-log before enrolling in MFA? My Product team would at least like the behavior to be consistent :grin:

I don’t know if it matters, but my front-end is Angular 10, with the auth0-js library, and my back-end is a Spring Boot API with the Auth0 Spring Security library. My MFA rule is below:

function rule(user, context, callback) {
	// Don't challenge for MFA if the user did it in the current session
  const completedMfa = !!context.authentication.methods.find(
    (method) => method.name === 'mfa'
  );
  if (completedMfa) {
    return callback(null, user, context);
  }

  // Check to see if they user is enrolled in MFA
  user.user_metadata = user.user_metadata || {};

  if (user.user_metadata.mfa) {
    context.multifactor = {
      provider: 'any',
    };
  }

  callback(null, user, context);
}

Thanks in advance for any help you can provide,


Eric

Just to close the loop here (for posterity): I received a resolution from Auth0 Support. My application was updating the email_verified flag on the profile as part of the signup process. According to the support engineer, updating the email, email_verified, or password fields invalidates the user’s session, causing a re-authentication to be required.

As an alternative, I can use the prompt=login parameter on the /authorize request to force a login for all MFA enrollments.