MFA on Change Password Flow

Hello Auth0 community - Is there any way I can enable MFA on the change password flow?

  1. User clicks on Forgot Password link
  2. Enters his email address.
  3. Gets an link to change his password and the user clicks on the link.
  4. Auth0 prompt for MFA to phone/SMS.
  5. Successful MFA and then change password with prompt.

It this possible using Actions or Rules.

Thanks

Hi @mdav1.diap,

I do not think think the exact flow can be accomplished here to prompt MFA before changing password, BUT you could look at enforcing MFA after the password has been changed using Actions.
As an example, using the Post Change Password Flow you could add metadata to the user to flag that this change has happened, then during the next login you could use another action to check that flag and if true prompt for MFA during login flow.

Kind Regards,
Nathan

1 Like

Thanks for the reply, Nathan. It answers the way it can be done with Auth0 limitations.

MFA trigger on Reset Password or Change password is what we are looking for. Do you know if this is in feature enhancements?

Mat

Hi @mdav1.diap,

Thanks for submitting your feedback for the feature request.

I’ve also had a look into this and it appears we do have an item on our roadmap that aims to support this flow, named “Flexible Account Recovery with any factor”. Currently this item has a target date of Q4 and details about the feature update includes a new Action Flow for Account Recovery that would allow for MFA trigger before the password is changed. We will know more about the feature later in the year.
FYI - Stay up to date with product updates by subscribing to the Auth0 Changelog

Thanks!

2 Likes

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.