Force MFA for One Specific Application

Last Updated: Sep 24, 2024

Overview

This article describes how to enforce MFA for only one application within the tenant.

Applies To

  • Multifactor Authentication (MFA)
  • MFA for Applications

Solution

Follow the steps or video below.

NOTE: As the intention is to enforce an MFA challenge for a single application, it is first necessary to set ‘require MFA’ to Never in the tenant settings:

  1. Login to the Auth0 dashboard.
  2. Navigate to Security > Multi-factor Auth.
  3. In the Define Policies box, select the Never option.

Next, an Action can be defined to enforce MFA for one or more applications. This code sample shows how this function might be implemented:

exports.onExecutePostLogin = async (event, api) => {
	const CLIENTS_WITH_MFA = [
		'{yourClientId1}', 
		'{yourClientId2}',
		'{yourClientId3}'
	];

	if (CLIENTS_WITH_MFA.includes(event.client.client_id)) {
		api.multifactor.enable('guardian', { allowRememberBrowser: false })
	}
}

This example makes use of these Action properties:

  • the event.client properties of the Event Object
  • the api.multifactor.enable(provider, options) properties of the API Object

In this instance, ‘guardian’ has been chosen as the MFA provider, though the other possible options are:

  • any Use any of the configured challenges.
  • duo Use the Duo multifactor provider.
  • google-authenticator Use the Google Authenticator provider.
  • guardian Use the Guardian provider.

Related References