Optional Enrollment in MFA


I hesitate to post this, as looking through the list of similar questions they all appear to be closed or terminate without resolution.

I’ve looked at custom rules, I’d rather not modify the Auth0MfaWidget and lose the new experience, but even then, I can’t see a way to allow users to opt in/out of MFA. Is there a recommended way to do this?

And, when someone does enroll in MFA via an enrollment ticket, is there a way to redirect them after the enrollment other than editing the Auth0MfaWidget? I’ve added console logs to my rule and am using the WebTask Logs, after login the rule is executed so I could redirect a user but the rule is not executed after MFA enrollment (via ticket).

On this page it’s pretty clear that the art shows “redirecting” after the MFA enrollment process

but on this blog post, the response seems pretty clear that there’s no redirection support for MFA enrollment tickets

I feel as though I might be missing something obvious, any help would be greatly appreciated.


1 Like

Additionally, I’ve been through maybe all of the mfa docs, including the following

Which then says I can customize the full HTML content as described in the following

However, this makes it clear that internationalization and a number of other features are not available in this, which leads me further to believe that it isn’t the way to go.

1 Like

I would also be interested in the answer to this.


Could someone from Auth0 give an official response on this? Is there no way to decide when a User enrolls in MFA? A use-case involves only enrolling users in MFA once they reach a certain stage of the onboarding process- rather than immediately when they create an account. However it seems like once MFA is turned on, it’s required for all users immediately. Is that the case?

Is there any update?

We would like to encourage the user to setup MFA in order to use more services without forcing him to do so. However, like described above, there is no straight forward solution to start an MFA process for an already registered user.

There is a possible workaround:
Use custom rule to enforce MFA when, for example, a user has a certain role assgined. The role can be assigned (or removed) by the management API.

Is this the recommended way of doing it?