MFA Login Flow on Shared Devices, No Option to Switch Accounts Before a Verification

Product Feedback
1

Hi Auth0 Team,

I’m reaching out on behalf of Cubiko, we are a practice intelligence software provider using Auth0 for authentication.

We’re currently experiencing an ongoing issue that is creating significant friction for our clients. When a user attempts to log in to our platform from a browser where credentials have previously been saved, the login automatically proceeds to the MFA verification step for the saved email. There is no visible option to switch accounts or “log in with a different email” before reaching the one-time MFA code screen.

This has become a major issue for us because many of our clinic clients use shared computers. It’s very common for multiple staff members to log in to Cubiko from the same PC. In many cases, someone has saved their credentials in the browser. When another staff member then attempts to log in, they are taken straight to the MFA screen for the previously saved user, with no clear way to change the email.

While using a different browser or opening a private/incognito window works as a workaround, this is not ideal. Many of our users are not particularly tech savvy, and asking them to manage browsers or private windows has led to confusion, support load, and growing dissatisfaction.

We previously tracked this internally and were directed to raise formal feedback, referencing:
https://community.auth0.com/t/unable-to-show-the-users-email-address-on-the-mfa-otp-challenge-scree…

This issue is very important to us and directly impacts client experience, so any advice or potential solution would be greatly appreciated.

Thank you in advance, and I look forward to your response.

2

Hi Cubiko Team,

Thank you for such a clear explanation of the issue — and for including the background context. I completely understand how this would create friction, especially in shared-device clinic environments.

What you’re seeing is expected behavior when Universal Login + MFA is combined with an existing SSO session or browser-saved credentials. Auth0 is detecting a previously authenticated session (or remembered identifier) and proceeding directly into the MFA challenge flow for that user. By default, the MFA challenge screen does not expose an account switch option.

That said, this setup is not ideal for shared workstation scenarios like yours.

Below are the main options available to address this:

:one: Force Account Selection (Prompt Parameter)

You can force the login page to always require account selection by adding:

prompt=login

to your /authorize request.

This ensures the user must re-authenticate and prevents silent session reuse. While this doesn’t add a “switch account” button inside the MFA screen itself, it prevents users from being auto-forwarded based on an existing session.

:two: Disable “Remember Last Login” Behavior

If you’re using the New Universal Login experience, Auth0 may store the last used identifier in the browser. You can disable this behavior by:

  • Turning off Identifier First (if enabled), or

  • Customizing the Universal Login template to avoid pre-filling the last-used email

This reduces automatic progression to MFA for a previously saved user.

:three: Add a “Not You?” / Switch Account Link (Recommended)

If you are using Custom Universal Login, you can:

  • Modify the login template

  • Detect when an MFA challenge is triggered

  • Add a visible “Not you? Log in with a different account” link

That link can redirect to:

/v2/logout?client_id=YOUR_CLIENT_ID&returnTo=YOUR_LOGIN_URL

This clears the session and forces a fresh login.

For shared-computer environments like clinics, this is usually the most user-friendly approach.

:four: Disable SSO Session Persistence (If Appropriate)

Depending on your configuration, you can:

  • Adjust tenant session lifetime settings

  • Shorten or disable persistent SSO cookies

This reduces the likelihood of one user’s session impacting the next.

:five: Recommended Approach for Shared Clinical Devices

Given your use case (shared PCs, non-technical users, high UX sensitivity), the best long-term solution is:

  • Force prompt=login

  • Add a visible “Switch Account” option on MFA screens

  • Optionally shorten SSO persistence

This removes the need for users to understand incognito mode or browser management.

Why This Happens

This is not a browser credential issue alone — it’s primarily:

  • Auth0 SSO session detection

  • Remembered login identifier behavior

  • MFA being tied to the active transaction

The MFA screen does not currently provide built-in multi-account switching in the New Universal Login flow.

If you’d like, I can review your current Universal Login configuration (New vs Classic, Identifier First enabled or not) and suggest a more precise implementation path.

We understand how important this is for environments like healthcare clinics where workflow interruptions quickly translate to frustration. Happy to help you implement a solution that reduces support load and improves the login experience.

Looking forward to assisting further.