Overview
When using api.multifactor.enable, despite the user completing MFA, later actions do not see the MFA timestamp in event.authentication.method.
Applies To
- Actions
- Multifactor Authentication (MFA)
Cause
This is caused by the fact that the api.multifactor.enable() call is asynchronous to the rest of the action pipeline.
In other words, the rest of the Action pipeline will continue to be executed whilst the user is being challenged for MFA, and with the exception of redirects in Actions, the Action pipeline could be fully completed before the user has a chance to complete the MFA challenge.
So as Actions execute quickly generally (unless there are external calls involved etc.), a later action that triggers will still see the event.authentication.methods object as only having the first factor, as at the point the Action ran, the user had likely yet to have completed MFA e.g.,:
[ { name: 'pwd', timestamp: '2024-07-11T13:02:03.128Z' } ]
However, if the user is redirected back to /authorize, for example, to get new tokens and the user still has a valid Auth0 session, after hitting /authorize the user wouldn’t be prompted for credentials as their session cookie would be recognized, and the Actions pipeline would be triggered again, but this time the “event” object will start with the updated “event.authentication.methods” object for that session, showing the MFA timestamp, e.g.:
[{ name: 'pwd', timestamp: '2024-07-11T13:02:03.128Z' },
{ name: 'mfa', timestamp: '2024-07-11T13:02:20.849Z', type: 'phone' }]
Solution
If it is required to know if the user completed MFA within the same Action pipeline’s execution, then the workaround is to move to using the newer “Customize MFA Selection” feature.
Unlike when using api.multifactor.enable(), the Action pipeline is interrupted when an “api.authentication.challengeWithAny() / api.authentication.challengeWith()” call is made, which would mean subsequent Actions would not run until after the user had completed the challenge, and thus the “event.authentication.methods” object had been updated with the new method timestamp. Please see the Related References section for more information.