How to enforce a single MFA for a user

Authentication APIs allows a user to enroll more than MFA. How could we ensure that a user can not setup more than one MFA?

Hi @rajivk,

Thanks for reaching out to the Auth0 Community!

I understand that you would like to enforce MFA for a single user.

In this situation, I recommend using an Auth0 Post-Login Action to selectively enforce MFA for the user.

Please review our How To Enable MFA For A Subset of Users FAQ which goes into further detail on how to accomplish this.

If you have any additional questions or need help with implementation, please feel free to reach out.

Thank you.

This link explains how we can enforce a particular MFA. Our requirement is, we allow users to choose any mfa(sms, otp etc). but user should not be able to setup more than one MFA. There must be only one active MFA(whatever user choose) at time.

Hi @rajivk,

Thank you for your response and clarification.

Unfortunately, it is not possible to prevent users from enrolling in alternative MFA factors if you have more than one factor enabled.

Meaning that it is not possible to enforce a specific factor without providing alternative methods to authenticate with MFA.

I hope this answers your questions.

Please let me know if you need help with anything else.

Thank you.

@rueben.tiow thank you.

So my understanding is, a user can have any number of active MFA enrolled at a time, given they must be enabled from the auth0 dashboard. We can not restrict users to have one active MFA(of their choice) enrolled at a time.

BTW i tried to enrol a user with OTP and then for SMS using authentication API. It says that user is already enrolled.

Hi @rajivk,

Thank you for your response.

Yes, your understanding is correct! :+1:

To better understand the situation, could you please share the requests you made to enroll a user with OTP and SMS?

Thank you.

Hi @rueben.tiow

I used

  • /mfa/challenge for otp generation
  • /mfa/associate for associating MFA
  • /oauth/token for verification

Hi @rajivk,

Thank you for your reply.

As far as I can tell, it seems like you are adding MFA factors correctly for your users by calling those endpoints.

In this case, could you please confirm if the SMS and OTP MFA factors are enabled for the user on the Auth0 Dashboard > User Management > Users page?

It may also be worth resetting the MFA and retrying the MFA enrollment again.

Lastly, if this issue continues, could you please send me a direct message of your tenant’s name for me to investigate further?

Please let me know how this goes for you.

Thank you.

In this case, could you please confirm if the SMS and OTP MFA factors are enabled for the user on the Auth0 Dashboard > User Management > Users page?

Yes, SMS and OTP both are enabled on this page.

It may also be worth resetting the MFA and retrying the MFA enrolment again.

I tried it using API mentioned in previous replies and i can not configure more than one MFA at a time for a user. Could you share any docs or article that says it is even possible in Auth0.

Hi @rajivk,

Thank you for your clarification.

If SMS and OTP are both enabled for the user, then it is normal to see a message indicating that the user is already enrolled in those factors. Therefore, calling the /mfa/associate endpoint for that user is not needed since they have already enrolled in both SMS and OTP MFA factors.

At this point, you can proceed by calling the /mfa/challenge endpoint for OTP/SMS generation, and verify MFA for OTP/SMS by calling the /oauth/token endpoint.

You should be able to configure more than one MFA factor for a user at a time. Our Enable Multi-Factor Authentication documentation explains that:

“In the Factors section, choose the factors that you want to enable with toggles. Any or all of these factors can be enabled simultaneously.”

Please see these resources on enrolling SMS and OTP MFA:

Thank you.

I think, i am not able to clarify scenario.

There are two separate thing

  1. Could we enable multiple factors for the tenants?
    My Observation: yes, we can. your this docs explain it.
    NOTE: This has been clear to me. No further answer is required for this question.

  2. Could a user configure multiple MFA like sms and otp for their account and choose anyone of them for the login?
    For better explanation let’s take an example:
    Tenant Setting: We have configured MFA and SMS from this article for the tenant, so a user should be able to choose anyone of them. We have also marked MFA always.
    User - A user login first time after signup. Auth0 enforce to configure any one MFA from sms or otp. let’s say user decides to configure otp based MFA. After some days this user wants to configure sms(wants to keep otp based mfa) for his/her account so he/she could chose anyone at the time of login.

    1. Is this scenario possible?
      My Observation: When i tried to configure sms based mfa using APIs when otp was already configured then it failed.
    2. Have you tried this above scenario or is there any docs confirming the same?

is there any configuration that we needs to enable to support this scenario?

1 Like

Hi @rajivk,

Thank you for your response.

Yes, this is possible. Here is an example of my MFA settings enabled with multiple factors:

Yes, this is possible. Whenever a user logs in for the first time, they will be shown the most secure factor available but will be allowed to choose another factor to use if they have more than one factor enabled in the Dashboard. There should be a Try another method button on the MFA screen to allow the user to select another factor.

Please see this response in another thread by my colleague showing that it is possible for both OTP and SMS working.

I hope this helps!

Thank you.

1 Like

Hi @rueben.tiow

Yeah, this order works as mentioned in this post. Adding SMS and then configure OTP MFA.

But it does not work in reverse order i.e adding OTP and them SMS based MFA. Could you please confirm on this order?

Hi @rajivk,

Thank you for your reply.

Yes, I can confirm that this order will work. To do so, you could make a request to the Authentication API’s Add an Authenticator endpoint to add OTP first before adding SMS.

Please let me know if there’s anything else I can do to help.

Thanks!

Hi @rueben.tiow

I tried this order multiple times but it does not work. It says an MFA is already registered. But reverse order works fine. Could you please try at your end?

1 Like

Hi @rajivk,

Thank you for your response and I’m sorry for the delayed reply.

I have just tested this myself on my tenant and it works successfully. I managed to get OTP enrolled before SMS.

Please let me know if you have any additional questions.

Thanks,
Rueben

1 Like

Hi @rajivk. We recently released a feature that may work well for your use case that you have described here: Customize MFA Selection.

I’d recommend using a combination of the event.user.enrolledFactors to determine whether the user has any enrolled factors (see event object docs below & sample code in the feature docs) and the challengeWith or challengeWithAny (see api object docs below & sample code in the feature docs) commands. You can also use the additionalFactors to leverage the ‘Try Another Method’ and allow users to choose which MFA factor that they’d like to be challenged with on their initial MFA challenge.

Take a look at the overall feature documentation to get more information about the feature.