How to allow user to enroll MFA any time inside an application

Hi,

we are migrating MFA to Auth0. In our current application, we have a menu option which allow user to enroll MFA any time while they are in the application. But it doesn’t seem Auth0 provide a way to do it.
we have tried to use API to get enrollment URL with a ticket, but we can’t display this enrollment page in our application, Auth0 forbid using iframe. If we display the URL on the page, after enrollment, there is no way to go back to our application.

We have also tried to force user to go through post login action without the need to login again, but couldn’t make this work.

Any help is greatly appreciated.

Thanks!
jai

Hi @jai1,

If you want to enroll user into MFA at any moment. You can refer below documentation:

Step 1. Get MFA access token:

https://auth0.com/docs/secure/multi-factor-authentication/manage-mfa-auth0-apis/manage-authenticator-factors-mfa-api

Step 2. Enroll authenticator - SMS, Phone, TOTP

https://auth0.com/docs/secure/multi-factor-authentication/authenticate-using-ropg-flow-with-mfa/enroll-and-challenge-otp-authenticators

Note: post-login action is best way to force enroll user into MFA.

https://auth0.com/docs/secure/multi-factor-authentication/adaptive-mfa/customize-adaptive-mfa

Thanks Suman for the quick response. with your approach, we need to build our own UI to allow user to select what factor to enroll, correct?

we want to use Auth0 enrollment page instead, is that doable? by using POST /api/v2/guardian/enrollments/ticket, we can get a URL back, we want to display this URL in our iframe or module window, but we can’t make it work because Auth0 doesn’t allow it.

Yes, you need to build your own UI.

I would never recommend using Iframe or module window because, there are several security and user experience concerns to consider:

  1. Security Risks:
  • Authentication pages in iframes are vulnerable to clickjacking attacks
  • It’s harder to verify the authenticity of the page within an iframe
  • Many authentication providers (including Auth0) explicitly block iframe embedding through X-Frame-Options headers for security reasons
  1. Browser Compatibility:
  • Modern browsers are increasingly restrictive with iframe-based authentication due to security policies
  • Pop-up blockers often interfere with module windows

Instead, Build a Native Experience:

  • Create your own enrollment UI that directly integrates with Auth0’s APIs
  • This gives you full control over the user experience while maintaining security
  • You can style it to match your application perfectly

Hope this helps.

You could also use redirect.

// Instead of iframe/popup:
window.location.href = enrollmentUrl;

// Handle the return with a callback URL
// Auth0 will redirect back to your application