Feature Request: trigger MFA based on breached password detection

Today when a user logs into our platform with a password that has been found in a past breach, we send the user an email with a magic link for them to log in. We use the HIBP service in a similar way Auth0 provides this service as Breached Password Protection.

However, the Auth0 configuration gives us two options: 1) send an email to the user suggesting they should change their password and 2) block the login until the user changes their password. We’re looking for something in the middle similar to what we have today: don’t allow the login to complete without a second factor if the password was in a past breach (email being that factor today).

I thought this is possible with a post-login action that triggers MFA, but we can’t create a condition for the action based on signal from Breached Password Detection that triggers the custom MFA policy. Well, you can but it’s a race condition between the login completing successfully and triggering a flag on a user’s account based on the login event stream log activity.

@danielc1 @dcohenb

Hi @peter.zimmerman,

Welcome to Auth0 Community!

You could consider using the Adaptive MFA which is a paid feature to accomplish your use case.

Please feel free to reach us if any other queries. Thanks!


BTW I have updated the title to “Enable MFA for user password breach” and added a few tags to help other community developers with this query in the future :slight_smile:

Have a great rest of the day!

1 Like

Hi @lihua.zhang , thanks for responding. We have the Enterprise Security Bundle, and we have Adaptive MFA enabled. This FR is to trigger MFA based on whether the users credentials have been seen in a past breach. The fact that a password is a “breached password” isn’t a risk signal for Adaptive MFA, but it should be something we can create a custom action for in the post-login flow. That does not exist today and I’d like to submit that as a FR.

This is not solved, I’d do not want this post marked as such.

Hey @lihua.zhang, I’m working with @peter.zimmerman on this and adaptive MFA doesn’t provide the ability to customize what happens when a user triggers breach password.

The requested functionality is to “Add a flag/property to the post-login action’s event object such as breachPasswordTriggered=true”. This will allow customers to write their own logic based on the flag, in this case, trigger MFA.

1 Like

Hi @peter.zimmerman @danco ,

Thank you for providing the additional details.

I will move it back to the Feedback category and unmark it as resolved. Please upvote this feedback. Hope it will attract more votes! :slight_smile:

Have a great rest of the day!