MFA not required even though factor is enabled?

johnwp · March 17, 2025, 10:14pm

We’re on the B2C Essentials plan. We have “One-time Password” enabled under “Security > Multi-factor Auth”, but new users logging in for the first time no longer seem to be required to use it. Is there another setting somewhere I’m missing that enforces the requirement of this factor?

nik.baleca · March 17, 2025, 10:36pm

HI @johnwp

Welcome back to the Auth0 Community!

Have you set your Require Multi-factor Auth policy to Always?

If not, what is the policy set and how are you enforcing MFA for your users?

Do you customize the MFA using actions?

Looking forward to your answer!

Kind Regards,
Nik

johnwp · March 17, 2025, 10:39pm

I seem to have missed that setting. I have it enabled now. Thanks for the tip!

johnwp · March 17, 2025, 10:57pm

@nik.baleca If I wanted to only require MFA for one application, would I do that as a custom action?

nik.baleca · March 17, 2025, 11:01pm

Hi again.

Yes! Your action would look something like this:

exports.onExecutePostLogin = async (event, api) => {

  if(event.client.client_id === 'YOUR_CLIENT_ID') {
    api.multifactor.enable('any');
  }

};

johnwp · March 17, 2025, 11:36pm

When I enable that action, it goes into an infinite MFA loop. Any ideas on what’s happening?

nik.baleca · March 18, 2025, 12:00am

I see.

Since you are looking to enable the MFA only for one application. I would recommend to set the MFA Policy to Never so that you can control it within the actions.

Once you set it to never, the action should prompt the users to enroll into MFA on signup or complete the challenge.

Let me know if you have any other issues!

Kind Regards,
Nik

johnwp · March 18, 2025, 3:13pm

I ended up adding some additional code to prevent the infinite MFA loop. We seem to have lost the “Remember for 30 days” option on the MFA screen. Is there a way we can get that option back?

exports.onExecutePostLogin = async (event, api) => {
  if(event.client.client_id === event.secrets.clientId) {

    if (event.transaction?.protocol === "oauth2-refresh-token") {
      return;
    }

    const completedMfa = event.authentication?.methods.some(
      (method) => method.name === "mfa"
    );

    if (completedMfa) {
      return;
    }

    api.multifactor.enable('any');
  }
};

nik.baleca · March 18, 2025, 3:53pm

Hi,

You could try the following:

api.multifactor.enable('any', { allowRememberBrowser: true });

This will display the button on the screen for the user.

Let me know if I can help with anything else!

Kind Regards,
Nik

Topic		Replies	Views
MFA is always required Get Help mfa , one-time-password-otp-factor	3	91	November 6, 2024
Requiring MFA when I have selected it not to Get Help	5	2045	February 1, 2023
Users Are Not Prompted to Use MFA after Enrolling a Factor Knowledge Articles mfa , rule , prompt , action , remember-device	1	1864	August 30, 2022
MFA OTP for Specific Applications Get Help mfa , one-time-password-otp-factor	4	151	October 1, 2024
Not able to refresh token if mfa is eanbled (Error: mfa_required) Get Help mfa , one-time-password-otp-factor	6	4214	April 7, 2023

MFA not required even though factor is enabled?

Related topics