Mfa email after authentification

jal.monagi · November 27, 2024, 3:12pm

In my auth0 authentication approach, I want the user to enter their email and password if that coordinates we send a code to their email and we display a popup to enter this code. if possible to implement this in Auth0? and thank you in advance

gerald.czifra · November 27, 2024, 8:42pm

Hello @jal.monagi ,

Welcome to the Auth0 Community!

I understand that your preference is to only have Email as a MFA factor. We do not recommend this as Email does not offer the highest security, but if this is your desired flow, we can make that happen.

You will need to enable some settings in your tenant and also have an Action for everything to work, as follows:

Access the Authentication tab within your tenant and go to Authentication Profile. In here, select “ Identifier + Password “ and click on “ Save”.

During the login flow, this will prompt your users for their email address and their password.
Following this, navigate to Security → Multi-factor Auth. In here, you will need to enable two factors, as Auth0 restricts having Email as the only MFA factor.

As Email cannot be combined with only Biometrics and Recovery Code, my suggestion would be to enable One-Time Password and then Email ( don’t worry, your users will not be prompted to enroll in the One-Time Password factor), then scroll a bit down and toggle on “Customize MFA Factors using Actions”.
Head over to Actions → Triggers, select the Post-Login Action, click on the “+” sign to create a new Action from scratch. You can use the following:

exports.onExecutePostLogin = async (event, api) => {
if(event.authentication && event.user.email_verified){
api.authentication.challengeWith ({type:"email"})
} else {
api.access.deny ("Please verify your email in order to access your account")
 }
};

Click on Deploy, add the Action to Post Login flow and click on Apply

Your users will need to have their Email Verified in order to receive the code on their email. Because of the Action, users will be denied access and be prompted to verify their email in order to proceed. Once completed, the flow will only present them with the prompt to input the code they received over Email.

Alternatively, you can choose to skip the Action part and maintain the other settings described, which in turn will prompt the users to enroll in the other MFA factor. Once completed, on future logins the users will be prompted for the main factor (not Email), but will be presented with a button to Try another method where they can select Email as a factor.

Thank you!
Gerald

system · December 11, 2024, 8:43pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Enable only email MFA Help mfa , email-factor	4	478	October 1, 2024
MFA - Can't activate MFA email factor Help mfa , mfa-email	4	3325	December 30, 2020
Login asks for email verification even if users "email_verified" is true Help login , email-verification	4	2843	February 2, 2023
Auth0 Login not offering Multi Factor Authentication Help login-experience , new-universal-login-experience	11	87	November 13, 2024
MFA with Authenticator does not work immediately after invite Help mfa , one-time-password-otp-factor	4	1057	October 18, 2023

Mfa email after authentification

Related topics