Increase in MFA Requests and Risk Assessments Not Populated After Deploying Using Auth0 Deploy CLI

Problem statement

While using Adaptive MFA risk assessments in an MFA-specific action, an increase in the MFA prompts was observed after deploying a new configuration to the tenant using the Auth0 deploy CLI. After the configuration deployment, the risk assessments in the MFA action were not getting populated.

Symptoms

  • Using an Action to trigger MFA based on risk factors (Adaptive MFA).
  • End Users are prompted for MFA more often a recent deployment using the deploy CLI.

Steps to reproduce

Run a deployment using deploy CLI and force an adaptive MFA Action to use the older v2 action trigger.
You can also patch the Action via the Management AP.

The payload needs to have the following to reproduce:

"supported_triggers": [
    {
      "id": "post-login",
      "version": "v2"
    }

Cause

The deploy CLI was run and the post-login trigger version was changed to v2 or v1, while v3 is required for adaptive MFA risk factors to correctly function.

Solution

For risk assessment factors to be populated correctly, the deployed action should have the v3 or higher version of the post-login trigger.

With the deploy CLI Directory format, there will be two files for each action: one .js file, which is the action code, and a .json file, which is the action configuration.
In the .json file, the version should be set to v3 or newer:

"supported_triggers": [
    {
      "id": "post-login",
      "version": "v3"
    }

With the deploy CLI Yaml format, in the tenant.yaml file within the supported_triggers section, the version should be set to v3 or newer.

actions:
  - name: Action Name
    code: ./actions/Action Name/code.js
    dependencies: []
    deployed: true
    runtime: node16
    secrets: []
    status: built
    supported_triggers:
      - id: post-login
        version: v3