In my auth0 authentication approach, I want the user to enter their email and password if that coordinates we send a code to their email and we display a popup to enter this code. if possible to implement this in Auth0? and thank you in advance
Hello @jal.monagi ,
Welcome to the Auth0 Community!
I understand that your preference is to only have Email as a MFA factor. We do not recommend this as Email does not offer the highest security, but if this is your desired flow, we can make that happen.
You will need to enable some settings in your tenant and also have an Action for everything to work, as follows:
-
Access the Authentication tab within your tenant and go to Authentication Profile. In here, select “ Identifier + Password “ and click on “ Save”.
During the login flow, this will prompt your users for their email address and their password.
-
Following this, navigate to Security → Multi-factor Auth. In here, you will need to enable two factors, as Auth0 restricts having Email as the only MFA factor.
As Email cannot be combined with only Biometrics and Recovery Code, my suggestion would be to enable One-Time Password and then Email ( don’t worry, your users will not be prompted to enroll in the One-Time Password factor), then scroll a bit down and toggle on “Customize MFA Factors using Actions”.
-
Head over to Actions → Triggers, select the Post-Login Action, click on the “+” sign to create a new Action from scratch. You can use the following:
exports.onExecutePostLogin = async (event, api) => {
if(event.authentication && event.user.email_verified){
api.authentication.challengeWith ({type:"email"})
} else {
api.access.deny ("Please verify your email in order to access your account")
}
};
- Click on Deploy, add the Action to Post Login flow and click on Apply
Your users will need to have their Email Verified in order to receive the code on their email. Because of the Action, users will be denied access and be prompted to verify their email in order to proceed. Once completed, the flow will only present them with the prompt to input the code they received over Email.
Alternatively, you can choose to skip the Action part and maintain the other settings described, which in turn will prompt the users to enroll in the other MFA factor. Once completed, on future logins the users will be prompted for the main factor (not Email), but will be presented with a button to Try another method where they can select Email as a factor.
Thank you!
Gerald