Need Guidance on Implementing MFA OTP via Auth0 API for Post-Login Transaction Verification

Dear Auth0 Support Team,

I have enabled MFA with One-Time Password (OTP) using the “Always” policy, which currently prompts users for QR code setup and OTP during login, working as expected.

However, my application requires an additional MFA verification step during sensitive actions (e.g., completing a transaction) after the user has already logged in. I would like to trigger a second MFA OTP prompt via Auth0 API when such critical actions are performed inside the app.

I have reviewed the Auth0 documentation, but could not find a clear, end-to-end explanation or API-based flow that supports on-demand or step-up MFA challenges after login.

Could you please provide:

1. A brief explanation or best practice on how to implement step-up authentication or additional MFA verification after the user is logged in.
2. The API endpoints, configuration steps, and examples (if available) to trigger MFA OTP manually within the app during runtime.
3. Any rules, actions, or policies I should configure to support this use case.

I would appreciate your guidance on achieving this functionality.

Hi @exchanga, and thank you for your question!

Your use case is indeed intended to be solved with our Step-up Authentication feature. When your audience is an API, you can implement step-up authentication with Auth0 using scopes, access tokens, and Actions. You can use an Action to trigger the step-up authentication mechanism (for example, prompt MFA) whenever the user requests scopes that map to sensitive resources. For more information, please see our docs. If this is the doc you mentioned reading, please check out our configuration guide for setting up the Step-up Authentication feature when the audience is an API.

I wish you a great day!

Sincerely,
Teodor.