Problem statement
While using Adaptive MFA risk assessments in an MFA-specific action, an increase in the MFA prompts was observed after deploying a new configuration to the tenant using the Auth0 deploy CLI. After the configuration deployment, the risk assessments in the MFA action were not getting populated.
Symptoms
- Using an Action to trigger MFA based on risk factors (Adaptive MFA).
- Docs: Customize Adaptive MFA
- End Users are prompted for MFA more often a recent deployment using the deploy CLI.
Steps to reproduce
Run a deployment using deploy CLI and force an adaptive MFA Action to use the older v2 action trigger.
You can also patch the Action via the Management AP.
The payload needs to have the following to reproduce:
"supported_triggers": [
{
"id": "post-login",
"version": "v2"
}
Cause
The deploy CLI was run and the post-login trigger version was changed to v2 or v1, while v3 is required for adaptive MFA risk factors to correctly function.
Solution
For risk assessment factors to be populated correctly, the deployed action should have the v3 or higher version of the post-login trigger.
With the deploy CLI Directory format, there will be two files for each action: one .js file, which is the action code, and a .json file, which is the action configuration.
In the .json file, the version should be set to v3 or newer:
"supported_triggers": [
{
"id": "post-login",
"version": "v3"
}
With the deploy CLI Yaml format, in the tenant.yaml file within the supported_triggers section, the version should be set to v3 or newer.
actions:
- name: Action Name
code: ./actions/Action Name/code.js
dependencies: []
deployed: true
runtime: node16
secrets: []
status: built
supported_triggers:
- id: post-login
version: v3