MFA OTP for Specific Applications

emurphy · September 12, 2024, 9:04pm

Ready to post? First, try searching for your answer.
I have 2 Applications in my Staging Tenant. I need to enforce MFA for only one of the applications.

In the Panel, I have:
Require Multi-factor Auth set == Never
Enable Adaptive MFA Risk Assessment == On
Show Multi-factor Authentication options == On
Customize MFA Factors using Actions == On

I receive this error from the non-mfa-app post login:
Something Went Wrong
Two-factor authentication is required to access this application. To enable this, please contact your system administrator.

Here is my custom Login Action:

exports.onExecutePostLogin = async (event, api) => {
  // immediately bust out if non-mfa-app - we do not require MFA for this app
  if (event.client.name == "non-mfa-app"){
    return;
  }

  const promptConfidences = ['low', 'medium'];

  const confidenceDevice =
      event.authentication?.riskAssessment?.assessments?.NewDevice?.confidence;
  const confidenceIP =
      event.authentication?.riskAssessment?.assessments?.UntrustedIP?.confidence;
  const confidenceTravel =
      event.authentication?.riskAssessment?.assessments?.ImpossibleTravel?.confidence;
      
  const shouldPromptMfa =
      confidenceDevice && promptConfidences.includes(confidenceDevice) 
      || confidenceIP && promptConfidences.includes(confidenceIP)
      || confidenceTravel && promptConfidences.includes(confidenceTravel);

  const canPromptMfa =
      event.user.multifactor && event.user.multifactor.length > 0;
  
  if (shouldPromptMfa && canPromptMfa) {
      api.multifactor.enable('any', { allowRememberBrowser: true });
      api.authentication.enrollWith({ type: 'otp'});
  }
};

rueben.tiow · September 12, 2024, 11:08pm

Hi @emurphy,

Welcome to the Auth0 Community!

I recommend referring to our Two-factor authentication is required to access this application knowledge solution to resolve this issue.

Let me know if you have any questions.

Cheers,
Rueben

emurphy · September 13, 2024, 5:24pm

Thanks, that worked. A follow up question.

What are the confidence levels and risk assessments for the Adaptive MFA setting if enabled via the panel? In other words, is my custom Action above a match to what Auth0 has set under the hood for Adaptive MFA Risk Assessment?

rueben.tiow · September 17, 2024, 8:05pm

Hi @emurphy,

Thanks for the reply and I’m glad it worked!

As for the confidence scores and risk assessments, I suggest reading the Adaptive MFA documentation.

Thanks,
Rueben

system · October 1, 2024, 8:06pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.