Not able to login 1st time when mfa is enabled gettiing error (mfa_required)

Hi there,

error.error: mfa_required,
error.error_description: Multifactor Authentication required

This error occurs consistently when I attempt to log in for the first time, but it does not appear during subsequent login attempts. Essentially, the initial login always fails with the “mfa_required” error, while the second attempt is successful.

If you have experienced a similar problem or have any insights on how to troubleshoot and rectify this error, please share your expertise.

1 Like

Hi @abhijeet.mishra,

Can you please provide some additional details about your setup?

Hi @dan.woda,

We encounter the exact same issue as @abhijeet.mishra. We activated the MFA on our production tenant, however, the first login (right after signup) systematically fails because the /authorize?client_id=... responds with a 200 OK but in the response body there is an mfa_required error :

               var authorizationResponse = {
                    type: "authorization_response",
                    response: {
                        "error": "login_required",
                        "error_description": "Multifactor authentication required",
                        "state": "TVZlSVlBUkpRNUJNWUtEX0pxdjNwTmVrVmNSV01mcXZYOXgxZmdKMHF4TQ=="

When we refresh the web page, we are asked a new MFA code and everything works as expected.

We are using an Angular App with the AuthModule ("@auth0/auth0-angular": "^2.1.0"):

            domain: environment.auth_domain,
            clientId: environment.auth_clientId,
            authorizationParams: {
                redirect_uri: window.location.origin + '/private',
                audience: environment.auth_audience
            httpInterceptor: {
                allowedList: [ `${environment.backendUrl}/*` ]

Any help would be much appreciated,

We found the root cause of our problem: we were using silent tokens (getTokenSilently) which do not work when MFA is activated and rememberBrowser is false.

To overcome this issue we did the following:

This is counter-intuitive but we got the expected result. In fact, the action checks for the presence of MFA in the context. When there is no MFA or rememberBrowser is false, it challenges the user with an MFA. When there is MFA and the rememberBrowser is true, login proceeds.

Note: it could be interesting to specify that MFA should be set to ‘Never’ in the documentation: Configure Silent Authentication

1 Like

Thanks for the update and solution @william.occelli!

Welcome to the Auth0 Community!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.