Per Auth0 MFA API, we understand that we must use the Resource Owner Password Grant rather than a implicit OAuth2 flow (web redirection) if we want to be able to embed the MFA code input into the app UI.
What’s not clear is if we can perform MFA challenge, through Auth0 MFA API, independently of user authentication. From what I got in your API documentation, we need to obtain a MFA_TOKEN to call the MFA challenge API endpoints and it seems that the only way to obtain it is to perform a ROPG token request which must include user’s credentials.
As we want to ask the user for an MFA challenge when submitting specific sensitive actions so the user is already logged in and we don’t want to ask him/her to provide a login/password again.
Thanks