Thank you to everyone who participated in our AMA on Multi-Factor Authentication! For those who couldn’t join, we’ve put together the top five highlights from the session. You can also dive into the full discussion to explore detailed answers from our product experts by reading the complete discussion thread.
Here are the key takeaways:
1. What is MFA and when to utilize it? With traditional username and password flows, MFA acts as a vital secondary authentication method. It ensures a user claims to be who they say they are, adhering to industry best practices of strong security assurance models. Beyond general login, MFA is valuable for “step-up” authentication, adding higher security for sensitive actions.
2. What about Social Logins? While social logins offer convenience by leveraging third-party identity providers, it’s crucial to understand their security implications. Social logins don’t act as a substitute for robust security since applications depend on the third-party IDP’s authentication methods, which a tenant has no control over. Breaches can compromise accounts and introduce threats. Therefore, it’s imperative to double up on security practices like having MFA enabled on the account itself.
3. More Controlled MFA Flow: Another point of interest revolved around implementing more controlled MFA flows, specifically conditional WebAuthn Platform (biometric authentication) challenges within Post- Login Actions. Users expressed a desire to trigger WebAuthn if the current device was already enrolled, aiming to prevent unnecessary re-enrollment prompts. While current capabilities limit direct detection of existing device specific WebAuthn enrollment with Actions, we are currently enhancing implementations. There will be more information to come in the second half of the year, which is expected to resolve these inconsistencies and enable more seamless conditional flows.
4. Monitoring Adaptive MFA Implementation Metrics: Community members were keen on understanding how to monitor Adaptive MFA (AMFA) implementation metrics to gauge success and identify potential customer friction. Specific interest included tracking how many users were prompted for MFA, the reasons behind the attempt, and failed login attempts. For high- level insights, the Security Center provides visuals of authentication for your tenant, including MFA activity. For more detailed insights, you can enable Adaptive MFA Risk Assessment in your logs, which will display all AMFA metrics in your login events.
5. Conjuring Email as an MFA Factor for Users Without Email at Sign Up: A common question addressed was how to configure email as an MFA factor for users who don’t provide an email during sign up. You can achieve this via the Management API or MFA API. Historically, Auth0’s password resets were tied exclusively to the email, but our product team is actively exploring future enhancements to allow email to be controlled as a flexible factor and not tied to password resets, enhancing overall security and flexibility.
What’s Next
Check back soon for details on our next Ask Me Anything. To view past AMA topics, learn more here.