How to get MFA token without authorization and universal flow?

Get Help
,
1

We are creating custom flow for MFA in our application. We have doubts around how to get the mfa token generated?

We are already aware of methods listed below:

  1. Making a request to /oauth/token with a username + password, it returns an error and a mfa token.
    1. Cant use because : It requires the username + password to be prompted, which we don’t want to do.
  2. Making a request to /authorize, requesting the /mfa/ audience with the enroll scope. /authorize endpoint, when providing prompt=none, should return a mfa_token when encountering the error “Multifactor authentication required”, but its does not.
    1. Cant use because : This adds a login / pop up screen, which is not suitable for our application.

The /oauth/token endpoint returns a mfa_token when using the ROPG flow, so I don’t see why the /authorize endpoint wouldn’t return a mfa_token?

We want to know what other ways are possible to generate MFA token from FE, without touching the login flow or any additional universal flow popups.

Note : We are successfully able to do enroll and challenge with if a mfa token is generated.

Thanks. :slight_smile:

3

Hi @khushbu

The short answer is: an mfa_token can only be generated by Auth0 during a primary authentication transaction (such as the Universal Login flow or ROPG) when MFA is required to complete that specific login, since MFA stands for Multi-Factor Authentication.

It is not possible to generate an mfa_token from the frontend on demand without initiating one of these login flows.

Since you cannot obtain an mfa_token without one of the login flows you’ve ruled out, the recommended approach for triggering MFA for an already authenticated user is Step-Up Authentication.

This pattern is used when a user, who is already logged in, tries to access a sensitive part of your application (e.g., admin settings, payment details).

  1. Your application detects that the user is trying to access a protected resource.

  2. Your application initiates a new authentication request to the /authorize endpoint.

  3. Crucially, you include the amr_values=mfa parameter in this request.

  4. Auth0 receives this request. It checks if the user already has a valid session (so it doesn’t ask for a password), but it also recognizes the amr_values=mfa parameter, which forces it to challenge the user for a second factor.

  5. Once the user completes the MFA challenge, Auth0 redirects back to your application with new tokens, which now include “mfa” in the amr (Authentication Methods Reference) claim, proving the step-up was successful.

While this does use the Universal Login flow (a redirect), it achieves your goal of not prompting for a password and only triggering the MFA challenge.

If you have any further questions, please don’t hesitate to reach out.

Have a good one,
Vlad