Auth0 Home Blog Docs

Include claim in id_token when MFA was used?

mfa
id_token
oidc

#1

We’re looking at enabling multifactor auth for our app. However, we would like to consider making some parts of the app only visible if the user logged in using MFA (otherwise we’d provide instructions on how to sign up for MFA, if required, and a button to log in using MFA).

When we receive an id_token or access_token, is there a built-in way that we can tell if MFA was used? Or do we have to use the rules to add custom claims at the same time that they tell Auth0 to require MFA?

It would be really useful if Auth0 provided this as a build-in option, so we could be more confident that the presence of that claim in the token meant that MFA really was used, rather than having to get the right logic in our rule.


#2

Hi @martin.pain
When a user uses MFA to authenticate, the ID Token will have an amr (authentication method reference) claim in the payload with an mfa value in it. Note that amr is an array and there could be other possible values in the future, so the check should be something like:

mfaUsed = payload.amr && payload.amr.indexOf('mfa') >= 0;

This is a sample ID token payload with MFA used:

{
  "iss": "https://nico-sabena.auth0.com/",
  "sub": "xxxxxxxx",
  "aud": "xxxxxxxx",
  "iat": 1540342205,
  "exp": 1540345805,
  "acr": "http://schemas.openid.net/pape/policies/2007/06/multi-factor",
  "amr": [
    "mfa"
  ],
  "nonce": "nonce"
} 

Take a look at Step-up authentication for details on this exact scenario.


#3

Thanks, that’s just what I was looking for.