Passwordless + MFA

When I am enabling the MFA using the passwordless authentication flow, I am always getting a Failed Silent Auth -Multifactor authentication required error message till I select Remember this device for 30 days. Is that normal? Am I missing any configuration?

Hi @george.tsopouridis, and thank you for your question!

I’ll be looking into your issue, and I’ll get back to you as soon as possible.

Thanks!
Teodor.

Hi again @george.tsopouridis!

Thank you for allowing me time to do some research.

The answer to your question is yes, this is normal and expected behavior, and you are not missing any configuration for this.

Your login requires two steps: first the passwordless login and then the MFA code. After the passwordless step, your application performs a “silent authentication” in the background, but your login is not yet complete because the MFA step is still required. Since a silent authentication cannot prompt you for an MFA code, it correctly fails and reports Multifactor authentication required. This is an intentional security signal, not an error.

When you select “Remember this device,” you are telling Auth0 to skip the MFA step on that browser for 30 days. Because the MFA step is no longer required, the silent authentication can then succeed. Your setup is correct and is functioning as designed.

I hope this helps you!
Teodor.