How to build custom MFA pages


We’re using the New Universal login for authentication and we want to use MFA Email and/or SMS.

Universal login doesn’t allow MFA email as a single factor, so we want to build a custom MFA page to do it ourselves by using MFA API.

The issue is that when we want to challenge a MFA factor we need a MFA_TOKEN. This token only seems to be granted through ROPG flow. But we’re using universal login and not ROPG.

The documentation here is unclear to understand how to achieve this : Manage Authentication Factors with Authentication API

Thank you

Hi @jeremie.poisson

Thanks for getting in touch with us at Auth0 Community.

It’s correct that the ROPG flow does give you the mfa_token but you can still use Universal Login providing you use the correct audience and scopes when making the request as per e.g. a login request may redirect to the /authorize endpoint with the following information:


This will produce a JWT access token that you should be able to use in the rest of the flow where mfaToken is referenced e.g for SMS or voice see the flow here

Warm regards.

1 Like


Ok that’s interesting but we already specify an audience for one of our API.

And Auth0 doesn’t support multiple audiences

@jeremie.poisson I believe you would have to send another /authorize request with a new audience see

1 Like

So the flow will be something like :

  • User goes to the app
  • User hit “Login” button
  • The user is redirect to Auth0 with an /authorize request with https://{your_domain}/mfa/ audience
  • The user enters login/password (Does it works ?)
  • He gets redirected to our external MFA pages with Actions (How can we have a Access Token to use here if we didn’t complete the process) ?
  • User verify/enroll MFA
  • He gets redirected to the app
  • The app send another /authorize request (another redirection?)

That’s unclear here for me

Hi @jeremie.poisson

I expect the flow would be something as you describe.

Your fourth point yes it does work :slight_smile:

When you get redirected to your external MFA pages you will receive a code as part of the redirection (providing authentication was successful). You’ll then have to use the code in a POST request to /oauth/token

This will produce an Access Token which you can use on the /mfa/associate endpoint to enrol an MFA factor.

When the user is redirected to your app you send another /authorise with your API as the audience/API scopes, use prompt=none to make a silent auth request and a new Access Token will be returned without the user having to re-authenticate as they already did this for MFA and the server session should still be valid.

I hope this makes sense.

Warm regards.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.