We use a post-login script to activate MFA for specific users (after an email invite). The scenario for the issue we’re experiencing is as follows:
user has entered password after having clicked on a link in an invite email
user is then presented with MFA dialog, and selects “Authenticator”
user downloads Google or Microsoft Authenticator, then enters the verification code from the app into the Auth0 verification page
The problem is that (and this happens all the time following an email invite), the verification code is not accepted - It sometimes takes up to a third attempt to get this working. Sometimes it takes more. Could this behavior be related to a delay in the Auth0 back-end (we are testing with a non-production tenant and only enrolling the user post authentication).
Side note: Obviously this would be a show-stopper for us if this happens in production!
A common reason why this may not be working as expected is due to the device time setting not being in sync with the UTC time of the code, See Troubleshooting information here.
You may have already checked this. Do you see the same issue occur with different devices?
Thank you for your response. The root cause of this issue had to do with the post-login script being called more than once. We consulted with the support team, who referred us to this:
Adding in the condition (to check whether MFA had already been enabled) solved the problem for us.