MFA trusted devices Questions

1. Does Auth0 have a notation of the trusted device? What is it? Does it collect that data during sign-in or also during installation of the App?

We don’t establish trust with devices for MFA, just Authenticator device enrollments but not the device with which you are signing in. See more explanation about this in the following answers. If you would like to have the feature to establish a trust relationship to define when and when not to prompt for MFA, please go to Auth0: Secure access for everyone. But not just anyone. to create feedback for our Product team to review.

2. Can Auth0 store trusted devices?

We don’t store trusted devices, However, you could find some workarounds by customizing the MFA prompt by rules. Customize Adaptive MFA with Rules

function (user, context, callback) {

  if (conditionIsMet()){
    context.multifactor = {
      allowRememberBrowser: false,
      provider: 'any'
    };
  }
  callback(null, user, context);
}

3. Does Auth0 have the functionality to pass back to UI if a user is signing in again using a trusted device (meaning we then won’t prompt for MFA)?
Not by device, but by browser:

We offer the possibility of remembering a browser from which is being done the sign-in so it won’t ask you for MFA prompt for 30 days unless the cookies from the browser are removed, for which it may ask you to login again.

4. In Auth0, how can a sign-in be flagged as suspicious and based on what that is either “decline” or “challenge login with MFA” even though the user is logging in on a trusted device?

Yes, we have a feature called adaptive MFA. With adaptive MFA enabled, based on different risk factors, it may prompt you for MFA. For instance, if the user is accessing from an IP which is considered suspicious, it will prompt you for MFA. You can read more about this in the following documentation: Adaptive MFA

You could also, customize Adaptive MFA using rules

5. Does Auth0 have a configuration setting for how often to prompt users on a trusted device (like every 60 days for example) or if it’s a trusted device never prompt again?

We offer the possibility of remembering a browser from which is being done the sign-in so it won’t ask you for MFA prompt for 30 days unless the cookies from the browser are removed, for which it may ask you to login again.