Problem Statement
By default, once MFA is enabled, it applies to all users in the tenant. Is it possible to enable MFA for specific users?
Solution
First, ensure the tenant has the Require Multi-factor Auth set to None. Note that this setting will be overridden when MFA is implemented using Rules/Actions. Therefore, using Rules/Actions to conditionally enable MFA for specific users.
The MFA challenge can be set up to be based on the user attribute on their profile. Here are the steps:
- Set the user.user_metadata.use_mfa attribute in the respective users profile to true or false using the Auth0 Management API:
https://auth0.com/docs/api/management/v2#!/Users/patch_users_by_id
- Enable MFA either by using a Rule or Actions for specific users
- Enable MFA using a Rule:
function (user, context, callback) {
// uncomment the following if clause in case you want to request a second factor only from user's that have user_metadata.use_mfa === true
if (user.user_metadata && user.user_metadata.use_mfa){
context.multifactor = {
provider: 'any',
allowRememberBrowser: false
};
}
callback(null, user, context);
}
- Enable MFA using Actions:
exports.onExecutePostLogin = async (event, api) => {
// uncomment the following if clause in case you want to request a second factor only from user's that have user_metadata.use_mfa === true
if (event.user.user_metadata && event.user.user_metadata.use_mfa){
api.multifactor.enable('any', {allowRememberBrowser: false});
}
};