Problem statement
We are looking to turn MFA on by default, but we are looking to limit it to only the users who don’t bring their own SSO to our platform. So these users would use the traditional Auth0 database connection. Is there anyway I can limit MFA to just those users without using a tag on each user and just check if they are in that database connection?
Solution
You can accomplish this by creating a custom Post-login Action which would force MFA only for the users from the specific connections. The Action would look similar to this (it would force MFA for all non-federated social and enterprise connections):
exports.onExecutePostLogin = async (event, api) => {
if(event.authentication.methods[0].name !== "federated"){
api.multifactor.enable("any",{ allowRememberBrowser: false })
}
};
Reference for post-login action event object: