Improvements in the Dashboard MFA Section

We shipped an update to the MFA section the Dashboard to simplify the way you can configure MFA.

Page Layout

In our previous MFA section, there were two different pages that you could use to enable MFA factors:

We made it simpler by letting you enable all factors from the same page:

Enabling Factors

Previously, whenever you enabled a factor, a rule was created that forced all users to perform MFA with that factor.

When you disabled a factor, a confirmation dialog was displayed, the rule was deleted and customers with that factor enrolled could not use MFA anymore.

In the new version:

  • Enabling a factor does not enable MFA. It tells Auth0 that when MFA is enabled, that factor will be available for end-users.
  • Disabling a factor still lets users authenticate with MFA if they have other factors enabled in the tenant.

Enabling MFA

Up to now, MFA was enabled with the rule that was added when you turned on a factor. In the new version we made it simpler by adding a new “Always require Multi-factor Authentication” setting:

When the flag is enabled, all users will require completing MFA in all applications. However, all the rules will be processed and will override the flag’s setting, which will preserve the existing behavior in all tenants.

If you have already configured MFA previously, you’ll see the the flag is disabled and MFA will keep working with the rule. The rule can be edited in the Rules section.

Configuring MFA in Rules

Rules for enabling MFA have usually the following form:

function (user, context, callback) {
    context.multifactor = { 
      provider: 'guardian',
    };
    callback(null, user, context);
}

Moving forward, rules should be written like:

function (user, context, callback) {
    context.multifactor = { 
      provider: 'any',
    };
    callback(null, user, context);
}

Instead of forcing the MFA factor to ‘guardian’, or ‘google-authenticator’, or ‘duo’, we’ll say ‘any’, which implies “any of the available factors”.
You can also use ‘none’ to disable MFA for a specific case:

function (user, context, callback) {
  if ('Bqte94oBQ33CdqM8JC18c9F9xRbAAuQq' == context.clientID) {
     context.multifactor = { 
          provider: ‘none’
    };
  }
  callback(null, user, context);
}

You can still use the ‘guardian’ or ‘google-authenticator’ providers for backwards compatibility, or when you want to force a factor for one specific scenario.

You can find the updated documentation here https://auth0.com/docs/multifactor-authentication.

We’d love to hear your feedback about this changes! Please reply to the post if you have any questions/concerns.

3 Likes

Let us know if you have any questions regarding that!