Force MFA for every fund transfer operation

Get Help
,
1

Hi,

We’re implementing a secure fund transfer workflow in our application that requires additional security measures. We want to ensure that users must complete MFA verification for every fund transfer operation, not just once per session.

Current Implementation

  • Frontend: Using auth0-react SDK

  • Authentication: Using loginWithRedirect with scope parameter including transfer:funds

  • Backend: Validating access tokens with the appropriate scopes

  • Following the Step-up Authentication pattern documented here: (https://auth0.com/docs/secure/multi-factor-authentication/step-up-authentication/configure-step-up-authentication-for-apis#validate-access-tokens-for-mfa)

The Issue

Currently, once a user completes MFA and obtains an access token with the transfer:funds scope, they can perform multiple transfers without re-authenticating with MFA. The token remains valid throughout its lifetime.

What We Need

  • Force MFA verification before each fund transfer operation
  • Invalidate the previous access token after the user completes MFA and performs a transfer

Specific Questions

  • Is it possible to selectively invalidate only access tokens with the transfer:funds scope while preserving tokens with other scopes?

  • If we invalidate a refresh token that was used to obtain an access token with the transfer:funds scope, will that also invalidate tokens with other scopes (like view:balance)?

  • Can we implement scope-based token invalidation rather than invalidating all tokens for a user?

We want our users to re-authenticate for sensitive operations (transfers) but maintain their session for less sensitive operations (checking balances).

Any guidance or sample implementations would be greatly appreciated.

Thank you!

4

Hi @kevinzhao

Welcome to the Auth0 Community!

Thanks for posting your question; I can propose two solutions based on your description.

  1. Highly Regulated Identity (Best security but requires Enterprise Plan with HGI add-on)
    You can read more about that feature in depth here → Transactional Authorization with Contextual Strong Customer Authentication
  • Is it possible to selectively invalidate only access tokens with the transfer:funds scope while preserving tokens with other scopes?

Unfortunately, you can’t revoke access tokens → Revoke Tokens

  1. If we invalidate a refresh token that was used to obtain an access token with the transfer:funds scope, will that also invalidate tokens with other scopes (like view:balance)?

You can’t revoke the access token but you as in your example can send the refresh token that you want to revoke, the other refresh token will still be operational.

  • Can we implement scope-based token invalidation rather than invalidating all tokens for a user?

Unfortunately, no, but it’s an excellent idea for future requests, and I would encourage you to open a new thread in the Product Feedback category explaining your use case.

Another approach to this problem could be to add a custom scopes into the access token that you could validate in your API; sort of one-time use flag. There’s no support from Auth0 out of the box but you should be able to implement this behaviour in your system.

Thanks
Dawid

1 Like
5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.