Limit MFA Requirement to Database Users Only

konrad.sopala · October 4, 2023, 10:40am

Problem statement

We are looking to turn MFA on by default, but we are looking to limit it to only the users who don’t bring their own SSO to our platform. So these users would use the traditional Auth0 database connection. Is there anyway I can limit MFA to just those users without using a tag on each user and just check if they are in that database connection?

Solution

You can accomplish this by creating a custom Post-login Action which would force MFA only for the users from the specific connections. The Action would look similar to this (it would force MFA for all non-federated social and enterprise connections):

exports.onExecutePostLogin = async (event, api) => {

  if(event.authentication.methods[0].name !== "federated"){
    api.multifactor.enable("any",{ allowRememberBrowser: false })
  }
};

Reference for post-login action event object:

Topic		Replies	Views
MFA for specific connections Knowledge Articles mfa-sms , connection , action , post-login-action	1	829	August 18, 2023
Selective Implementation of MFA for Specific Auth0 Database Connections Knowledge Articles database-connections , mfa-enforcement	1	246	May 16, 2024
How to disable MFA using actions? Help mfa , mfa-api	2	3060	February 17, 2023
Enforce MFA for Internal Users but not for External Customers Knowledge Articles actions , mfa-policy , post-login	1	907	August 23, 2023
How to Enable MFA for a Subset of Users Knowledge Articles mfa , management-api , users , rule , user-profile , actions , use-mfa	1	9272	July 22, 2022

Limit MFA Requirement to Database Users Only

Problem statement

Solution

Related Topics