Feature-request: Different MFA policies by organization

sunny.pelletier · October 18, 2021, 7:41pm

Feature:
Support for different MFA policies by organization.

Description: We should be able to customize MFA usage by organization. Some organizations might want MFA disabled by default. Some other organizations might want to use different authentication factors.

The ideal solution I would see would be to allow enabling different MFA policies by CONNECTION. so that you could configure for instance

OTP for the username-password connection of organization #1
None for SSO connection of the same organization (#1)
SMS for the username-password connection of organization #2 (in isolated organization members)

Use-case: Some customers already have MFA in their SSO. So it’s rather annoying for them to have to fill another MFA after already completing their first MFA with their SSO. Along with that, in my company, we have some organizations that are only there for demo/test purpose, so having MFA on those is extremely annoying.

Ref: Different MFA policies by organization

konrad.sopala · October 19, 2021, 2:14pm

Thank you for creating this feedback card! Let’s see how many community members will be interested in such improvement!

adam.housman · December 3, 2021, 6:36pm

@sunny.pelletier you can do this currently with extensibility.

To try this out:

Set MFA to “Always” in your dev Auth0 tenant. (Security → Multi-factor Auth → Define policies → Require Multi-factor Auth Always)
Update an organization to have a metadata field called disableMFA set to true.
Create a post-login Action as below. To make this one work you’ll need to add the lodash module as a dependency.

When logging in via that organization, end-users won’t see the Auth0 MFA prompt, whereas end-users logging in with a different organization (or no organization) will get MFA.

/**
* Handler that will be called during the execution of a PostLogin flow.
*
* @param {Event} event - Details about the user and the context in which they are logging in.
* @param {PostLoginAPI} api - Interface whose methods can be used to change the behavior of the login.
*/

const _ = require('lodash');

exports.onExecutePostLogin = async (event, api) => {
  // Disable MFA for end-users logging in via an organization that has the disableMFA metadata flag
  // Can also set at connection level (event.connection.metadata)
  if(_.get(event.organization, 'metadata.disableMFA', false)){
    api.multifactor.enable("none");
  }
};

An equally valid way to do this would be to conditionally enable MFA for just the organizations that need it. See the docs.

sunny.pelletier · December 3, 2021, 7:23pm

Thank you for your answer. I will try it out as soon as possible. I asked the question on another topic, and I was answered that it was not possible. If it is possible, then ignore the feature request. Thanks a lot for the answer!

sunny.pelletier · December 8, 2021, 3:33pm

Tested it and it worked you can ignore this feature request!

konrad.sopala · December 9, 2021, 10:14am

Perfect! Closing it then!

adam.housman · November 8, 2023, 1:14pm

FYI we improved this capability to also allow per-Organization MFA factor selection using extensibility: you can customize the MFA factors that are required for end-users in a variety of different scenarios. See this example which demonstrates how this can be done on a per-Organization basis using Organization metadata.