Post-login action and MFA

michael30 · May 23, 2024, 7:07am

Has the behavior of the post-login action for users that have MFA enabled changed recently?

In the post login action we check if the user has MFA enabled and perform

api.multifactor.enable('any');
return event;

This prompts the user to enter their MFA code.
About two months ago when we first implemented the post-login action, when the user entered their MFA code the post-login action triggered again for a second time, at which point we continued performing other necessary steps, but now it seems that they get logged in directly.

rueben.tiow · May 23, 2024, 10:55pm

Hi @michael30,

There haven’t been any recent changes with MFA in the post-login action.

The post-login action flow with MFA should prompt the user for MFA only once. If it triggers twice, you may want to investigate what is causing this. Since it’s no longer an issue, you can continue using the post-login action script with MFA as usual.

Please keep us posted if you encounter any further issues.

Thanks,
Rueben

michael30 · May 24, 2024, 7:18am

Hi @rueben.tiow,

Thanks for your response! We were missing multiple pieces of information about how Auth0 works and our previous implementation wasn’t correct:

Most importantly we weren’t aware that the correct way of challenging the user for MFA if they have any factors enabled is api.authentication.challengeWith({type: 'otp'});. Instead we were using api.multifactor.enable('any');
We were not aware that if you have 2 actions in the login flow, say the first being MFA conditional challenge using the command above, then the flow pauses in between the actions until the user enters their MFA code.

Instead we were using the fact that the entire post-login flow, with a single action in it, was called twice. The first time we checked mfa, used api.multifactor.enable('any');return; thus skipping the code that followed, then the user entered their MFA code, the flow+action triggered again, and the non-mfa-related logic was run.

Anyway we seem to have fixed it now but:

Auth0 definitely worked like that ~2 months ago, as we haven’t changed that part of the code (and it’s hard to imaging what we could have done as we are using the new universal login experience out of the box
We copied the code & logic that we were using earlier from somewhere, possibly Auth0 documentation or this forum. If api.multifactor.enable('any') is not supposed to be used for this purpose (i.e. conditionally challenging the user to enter MFA) it should be stated somewhere?

system · June 7, 2024, 7:19am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.