We’re looking at enabling multifactor auth for our app. However, we would like to consider making some parts of the app only visible if the user logged in using MFA (otherwise we’d provide instructions on how to sign up for MFA, if required, and a button to log in using MFA).
When we receive an id_token or access_token, is there a built-in way that we can tell if MFA was used? Or do we have to use the rules to add custom claims at the same time that they tell Auth0 to require MFA?
It would be really useful if Auth0 provided this as a build-in option, so we could be more confident that the presence of that claim in the token meant that MFA really was used, rather than having to get the right logic in our rule.