Limit MFA Requirement to Database Users Only

konrad.sopala · October 4, 2023, 10:40am

Problem statement

We are looking to turn MFA on by default, but we are looking to limit it to only the users who don’t bring their own SSO to our platform. So these users would use the traditional Auth0 database connection. Is there anyway I can limit MFA to just those users without using a tag on each user and just check if they are in that database connection?

Solution

You can accomplish this by creating a custom Post-login Action which would force MFA only for the users from the specific connections. The Action would look similar to this (it would force MFA for all non-federated social and enterprise connections):

exports.onExecutePostLogin = async (event, api) => {

  if(event.authentication.methods[0].name !== "federated"){
    api.multifactor.enable("any",{ allowRememberBrowser: false })
  }
};

Reference for post-login action event object:

Topic		Replies	Views
Enable MFA Based on User Connection Knowledge Articles mfa , connection , extensibility , actions , mfa-enablement	1	2393	June 17, 2022
MFA for specific connections Knowledge Articles mfa-sms , connection , action , post-login-action	1	830	August 18, 2023
Selective Implementation of MFA for Specific Auth0 Database Connections Knowledge Articles database-connections , mfa-enforcement	1	253	May 16, 2024
How to disable MFA using actions? Help mfa , mfa-api	2	3108	February 17, 2023
Enforce MFA for Internal Users but not for External Customers Knowledge Articles actions , mfa-policy , post-login	1	909	August 23, 2023

Limit MFA Requirement to Database Users Only

Problem statement

Solution

Related topics