MFA disabling for respective users

shailesh.s · July 13, 2022, 11:52am

Dear All,

I have searched enough in auth0 community threads related to disabling MFA for particular user but enabled for other users.
I referred to this thread How to disable mfa for a particular user - #4 by chigullap but of no luck.

In my application; we enable MFA not from the Tenants Dashboard setting; rather via URL arguments to auth0 when user enters username and password.

The argument we pass is acr_values=‘aal2’ this argument automatically enables MFA prompt (SMS based) dialog for user to enter code.

Even though i have created a Rule and added the code as mentioned in thread said above; my application when logging by specific user is prompting for the MFA dialog.

In the Logs; i get error “Failed Silent Auth” with content as shown:

{
  "date": "2022-07-13T11:35:53.943Z",
  "type": "fsa",
  "description": "Login required",
  "client_id": "xxxxxxxxz2qhHMGZxxxxxxxxxxxx",
  "client_name": "xx-xx-Web-App",
  "ip": "165.225.122.229",
  "user_agent": "Chrome 103.0.0 / Windows 10.0.0",
  "details": {
    "body": {},
    "qs": {
      "redirect_uri": "https://app.azurewebsites.net/dashboard",
      "client_id": "xxxxxxxxz2qhHMGZxxxxxxxxxxxx",
      "connection": "main-tenant-oidc",
      "scope": "openid profile email offline_access",
      "audience": "https://xxx.abc.com",
      "acr_values": "aal2",
      "response_type": "code",
      "response_mode": "web_message",
      "state": "eUI1U1RQYX41czNMTXNoxxxxx",
      "nonce": "MUc4QkswWVdMfmN0Nxxxx",
      "code_challenge": "paVzzjEtSpkm9N7ZgyJ7gxxxxxxxxxx",
      "code_challenge_method": "S256",
      "prompt": "none",
      "auth0Client": "eyJuYW1lIjoiQGF1dGgwL2F1dGgwLWFuZxxxxxx"
    },
    "connection": null,
    "error": {
      "message": "Login required",
      "oauthError": "login_required",
      "type": "oauth-authorization"
    },
    "riskAssessment": null
  },
  "hostname": "xxxx.auth0.com",
  "audience": "https://xxx.api.xxx.com",
  "scope": [
    "openid",
    "profile",
    "email",
    "offline_access"
  ],
  "auth0_client": {
    "name": "@auth0/auth0-angular",
    "version": "1.9.0"
  },
  "log_id": "90020220713113554103135163004995678475438",
  "_id": "9002022071311355410313516300499567847543852",
  "isMobile": false,
  "id": "90020220713113554103135163004995678475438522"
}

So what else to do in order to disable MFA for particular user?

Thanks for all help

emiel · April 18, 2023, 9:02am

Hi @shailesh.s

We use a Rule for this (Auth Pipeline, Rules) where we check for a specific property in the user’s metadata.

Add the following code to the rule

  // Disable MFA for users that have user_metadata.disable_mfa = true specified
  if (user.user_metadata && user.user_metadata.disable_mfa)
  {
    return callback(null, user, context);
  }

Then open the details of the user for which MFA needs to be disabled and scroll down to Metadata and add the following to user_metadata:

{
  "disable_mfa": true
}