Hi everyone,
I’m looking for some advice regarding custom post-login MFA actions for handling user enrollment and challenges.
Here’s the issue I’ve encountered:
When I’m already enrolled in an existing factor (e.g., OTP) and attempt to enroll in a second factor (e.g: phone) using enrollWith, I receive the following error:
Additionally, the logs show this message:
An MFA enrollment was requested but the user is already enrolled in MFA. Challenge with at least one existing factor before enrolling a new one.
This happens even when authentication.methods already includes “mfa”.
If I use challengeWith before attempting the enrollment, it works as expected. However, this approach forces users to go through multiple challenges, which can feel redundant and unnecessary.
Is there a way to avoid re-challenging the user if their existing session has already been challenged?
Thanks in advance for your help!
Hi @daniel.bozinovski
Welcome to the Auth0 Community!
I am sorry about the delayed response to your inquiry!
In order to enroll a user to multiple MFAs, your action should look like this:
exports.onExecutePostLogin = async (event, api) => {
let forceEnroll = true
if (event.user.user_metadata.enrolledWithOtp === false && event.user.user_metadata.enrolledWithPhone === false) {
// already enrolled, challenge
api.authentication.challengeWithAny([{ type: 'phone'}, { type: 'otp' }]);
}
else{
api.authentication.enrollWith({type: 'otp'});
if(forceEnroll){
api.authentication.enrollWith({type: 'phone'});
}
}
}
For further information on the matter, I would recommend to review our documentation.
This way, the user will be asked to enroll to both factors when signing up or logging in or be forced to enroll in both factors.
If you have any other questions, let me know!
Kind regards
Hey @nik.baleca , thanks for the reply!
However, I don’t think my specific issue was fully addressed. My main concern is avoiding redundant MFA challenges when a user is already enrolled in one factor (e.g., OTP) and wants to enroll in a second factor (e.g., phone). I understand that using challengeWith before enrollWith works, but it forces the user to go through an additional challenge, which feels unnecessary if their session has already been authenticated or challenged.
Is there a way to bypass re-challenging the user in the same session after they’ve already been verified? I’m looking for a solution to streamline the enrollment process for additional factors without compromising security.
Thanks again for your help!
Hey again!
Sorry that I have missed that part. Just to understand what you are talking about. If an user who is already enrolled for OTP wants to enroll for another factor, do you wish to skip the part where the user is challenged for the 2nd factor during enrollment?
Ore do you wish to allow users to enroll to a 2nd factor while they are logged in without having them log out and back in so that the process is triggered by the PostLogin Action?
If that is the case, this can be quite hard to accomplish, and would require you to build your own UI to handle the behaviour. You can read more about that in our documentation here:
Otherwise, if you are talking about having the MFA trigger on all of their respective logins:
Enrollment and challenging an MFA factor are two distinct operations, due to that fact, after the user enrolls to the factors on their initial login, on their next one they will be asked to complete the MFA challenge and check the “Remember Browser for 30 days”.
After an user has been challenged and they tick that box on the respective login, any other logins on the respective device will not prompt the MFA to be triggered even if the action would challenge them to do so.
An alternative approach to this would be to set inside the metadata the specific time when they have completed the MFA challenge and trigger it again after a specific time frame (14 days/60 days/90 days).
Kind Regards,
Nik
Hey @nik.baleca ,
Yeah correct, was when they’re already enrolled into a factor and want to enrol into a second factor and are being challenged even if they have mfa inside their authentication.methods.
Thought that would be the case that we would need to implement custom functionality.
Thanks for your help!
Great I could help!
Just to provide more information on the matter, that error is being thrown because in order for a user to be able to enroll into a new MFA factor, an MFA token is required.
If you attempt to enroll an user without having them log in or undergo an MFA challenge, this token will be missing and the error will be thrown. Because of that, if you wish to basically “bypass” a login process or an MFA challenge, you would need a custom implementation in which you generate the MFA token for the user and enroll them using the Authentication API.
Kind Regards,
Nik
