Integrate MFA challenge response inside our app

Per Auth0 MFA API, we understand that we must use the Resource Owner Password Grant rather than a implicit OAuth2 flow (web redirection) if we want to be able to embed the MFA code input into the app UI.

What’s not clear is if we can perform MFA challenge, through Auth0 MFA API, independently of user authentication. From what I got in your API documentation, we need to obtain a MFA_TOKEN to call the MFA challenge API endpoints and it seems that the only way to obtain it is to perform a ROPG token request which must include user’s credentials.

As we want to ask the user for an MFA challenge when submitting specific sensitive actions so the user is already logged in and we don’t want to ask him/her to provide a login/password again.


Hey @simon.ew, I wouldn’t recommend switching to ROPG just to use the MFA API for this use case. But to answer your question, yes, you need to perform an ROPG call (with credentials) to get an mfa_token.

Have you taken a look at the Step-Up authentication docs? Add Step-up Authentication
These cover almost the exact scenario you are after. Assuming the user’s Auth0 session is still there, they won’t be asked for credentials. They would be directly sent to MFA page.
User would be asked for credentials only if their session has ended. This session lifetime can be configured in the dashboard: Configure Session Lifetime Settings

1 Like