How can I know if MFA is enabled on my app and which factors are enabled using actions?

lucas.gonzalez · July 6, 2022, 11:00pm

I’m working on an action that needs to check if the APP has MFA enabled and if there’s any factor enabled on my app.

I want to check this at the APP level, doesn’t matter if the user has enrolled in MFA yet.

Basically because if I enable MFA in my app and any factor is enabled in the dashboard, I should not enable MFA for certain users because I got an invalid_request with error_description: "No Confirmed"
This is because I got an error if all factors are disabled.

Thanks.

rueben.tiow · July 7, 2022, 12:00am

Hi @lucas.gonzalez,

Welcome to the Auth0 Community!

I understand that you would like to know how to determine if your application has MFA enabled and the associated factors.

First, let me explain that when MFA is enabled, the configured MFA factors will apply to all Applications. During the enrollment stage of the authentication flow, the user will have an option to select any MFA factor that you have configured. For example, if MFA is set to Always, and Phone Message is enabled and selected by the user, then the MFA Factor is enabled for that user.

With that, you can find which factors are enabled by navigating to your Auth0 Dashboard > Security > Multi-Factor Auth.

Yes, this is the expected behavior. You must enable at least one MFA Factor to use an Action that allows for MFA authentication, such as Phone Message. Then you can use an Action to enable MFA. For example:

exports.onExecutePostLogin = async (event, api) => {
  api.multifactor.enable('any');
};

I hope this helps!

Did I answer all of your questions?

Thank you.

lucas.gonzalez · July 7, 2022, 12:19am

@rueben.tiow Thanks for the quick answer.

This is my use case:

Admin disables MFA for all factors
My user has guardian as a multifactor option => [‘guardian’]

How I can check if my app has any factor enabled inside an action?

Because based on that, I’ll be able to know if I need to keep forcing MFA for those users or not.
I want to avoid showing the invalid_request error.

Something like this:

exports.onExecutePostLogin = async (event, api) => {
  if(api.multifactors.lenght != 0) {
    api.multifactor.enable('any');
  }

 // OR

  if(api.mfa == 'always) {
    api.multifactor.enable('any');
  }
};

Or if my user has some factor that is not enabled, force it to use one of the enabled ones.

Thanks!

lucas.gonzalez · July 7, 2022, 9:43pm

Hi @rueben.tiow

Let me know if you find something helpful,
I ran out of ideas.

Thanks.

rueben.tiow · July 8, 2022, 5:18pm

Hi @lucas.gonzalez,

Thank you for your response.

In this situation, I recommend using the Management API inside an Action and calling the Retrieve Factors and their Status endpoint.

In the response, you should be able to see which MFA factor you have enabled and proceed with your logic accordingly.

Below are some helpful resources on how to do so:

ManagementClient getFactors() method
How can I use the Management API in Actions? FAQ

Please let me know how this works for you and if have any questions.

Thank you.