Migrate users with MFA using automatic migrations and multifactor property

Hello :wave:

We’re currently making our login script in order to migrate our users into Auth0. We have users that have MFA enabled and we want to migrate that configuration also.

I’ve seen in the documentation that it can be achieved by returning:

callback(null, {
          user_id: `${user_id}`,
          email: email,
          mfa_factors: [
      		{
        	  phone: {
          		value: "+33XXXXXXXXX"
        	  }
      		},
    	]
        });

It’s working fine, enrollment is well displayed on the user profile. But we can notice that the “multifactor” property is not set. Since it’s not set, MFA is not triggered when the user connects because of how our rule is written:

function multifactorAuthentication(user, context, callback) {
  /*
  You can trigger MFA conditionally by checking:
  1. Client ID:
  context.clientID === 'REPLACE_WITH_YOUR_CLIENT_ID'
  2. User metadata:
  user.user_metadata.use_mfa
  */
  
  // Deactivate MFA when refreshing token
  if (context.protocol === 'oauth2-refresh-token'){
    return callback(null, user, context);
  }
  
  const isAuthApplication = context.clientID === 'XXXXX';
  const isUserHasMFAEnrolled = (user.multifactor || []).length > 0;
  
  const isMFAEnabled = isAuthApplication && isUserHasMFAEnrolled;

  if (isMFAEnabled) {
    context.multifactor = {
      provider: 'any',
      // optional, defaults to true. Set to false to force authentication every time.
      // See https://auth0.com/docs/multifactor-authentication/custom#change-the-frequency-of-authentication-requests for details
      allowRememberBrowser: false
    };
  }

  callback(null, user, context);
}

According to the documentation, we could add a custom property use_mfa to make it work. But that means we have to keep it up to date if the user is deactivating his MFA for example. We prefer to let Auth0 deal with that.

So we tried to do that when migrating our users:

callback(null, {
          user_id: `${user_id}`,
          email: email,
          multifactor: ["guardian"],
          mfa_factors: [
      		{
        	  phone: {
          		value: "+33XXXXXXXXX"
        	  }
      		},
    	]
        });

And it looks like it works like a charm, the multifactor property is correctly set within the user profile and correctly updated also if the user removes his MFA, so in this way, Auth0 handles that for us directly!

My question is, since it’s not written anywhere in the documentation, is it recommended to do that? Do I miss some possible edge cases?

Thanks a lot :pray: