Problem statement

How to enforce the use of MFA for only one application within the tenant?

Solution

NOTE: As the intention is to enforce an MFA challenge for a single application, it is first necessary to set ‘require MFA’ to Never in the tenant settings:

1. Login to the Auth0 dashboard.
2. Navigate to Security > Multi-factor Auth.
3. In the Define Policies box, select the Never option.

image1324×756 61.2 KB

Next, an Action can be defined to enforce MFA for one or more applications. This code sample shows how this function might be implemented:

exports.onExecutePostLogin = async (event, api) => {
	const CLIENTS_WITH_MFA = [
		'{yourClientId1}', 
		'{yourClientId2}',
		'{yourClientId3}'
	];

	if (CLIENTS_WITH_MFA.includes(event.client.client_id)) {
		api.multifactor.enable('guardian', { allowRememberBrowser: false })
	}
}

This example makes use of these Action properties:

• the event.client properties of the Event Object
• the api.multifactor.enable(provider, options) properties of the API Object

In this instance, ‘guardian’ has been chosen as the MFA provider, though the other possible options are:

• any Use any of the configured challenges.
• duo Use the Duo multifactor provider.
• google-authenticator Use the Google Authenticator provider.
• guardian Use the Guardian provider.

Related References

• Auth0 Actions
• Actions Login Flow
• Community: Enabled 2FA only on Selected Applications