Not able to login 1st time when mfa is enabled gettiing error (mfa_required)

abhijeet.mishra · October 8, 2023, 3:01pm

Hi there,

{
error.error: mfa_required,
error.error_description: Multifactor Authentication required
}

This error occurs consistently when I attempt to log in for the first time, but it does not appear during subsequent login attempts. Essentially, the initial login always fails with the “mfa_required” error, while the second attempt is successful.

If you have experienced a similar problem or have any insights on how to troubleshoot and rectify this error, please share your expertise.

dan.woda · October 11, 2023, 5:53pm

Hi @abhijeet.mishra,

Can you please provide some additional details about your setup?

william.occelli · October 18, 2023, 7:14am

Hi @dan.woda,

We encounter the exact same issue as @abhijeet.mishra. We activated the MFA on our production tenant, however, the first login (right after signup) systematically fails because the /authorize?client_id=... responds with a 200 OK but in the response body there is an mfa_required error :

               var authorizationResponse = {
                    type: "authorization_response",
                    response: {
                        "error": "login_required",
                        "error_description": "Multifactor authentication required",
                        "state": "TVZlSVlBUkpRNUJNWUtEX0pxdjNwTmVrVmNSV01mcXZYOXgxZmdKMHF4TQ=="
                    }
                };

When we refresh the web page, we are asked a new MFA code and everything works as expected.

We are using an Angular App with the AuthModule ("@auth0/auth0-angular": "^2.1.0"):

        AuthModule.forRoot({
            domain: environment.auth_domain,
            clientId: environment.auth_clientId,
            authorizationParams: {
                redirect_uri: window.location.origin + '/private',
                audience: environment.auth_audience
            },
            httpInterceptor: {
                allowedList: [ `${environment.backendUrl}/*` ]
            }
        }),

Any help would be much appreciated,
Thanks,
William

EDIT:
We found the root cause of our problem: we were using silent tokens (getTokenSilently) which do not work when MFA is activated and rememberBrowser is false.

To overcome this issue we did the following:

We created an action with the code proposed in the documentation (Configure Silent Authentication)
We set the MFA to ‘Never’

This is counter-intuitive but we got the expected result. In fact, the action checks for the presence of MFA in the context. When there is no MFA or rememberBrowser is false, it challenges the user with an MFA. When there is MFA and the rememberBrowser is true, login proceeds.

Note: it could be interesting to specify that MFA should be set to ‘Never’ in the documentation: Configure Silent Authentication

dan.woda · October 18, 2023, 2:34pm

Thanks for the update and solution @william.occelli!

Welcome to the Auth0 Community!

system · November 1, 2023, 2:34pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.