Auth0 Home Blog Docs

Prompt for MFA during specific actions / using MFA without login flow

mfa
google-authenticator

#1

In my application, if a user does something that might be of importance (ex: confirm their account deletion), I’d like to prompt for MFA.

From my Auth0 MFA research, it seems that I can only trigger MFA during a login flow. Is this correct?

I noticed there is the challenge API, but that requires the mfa_token, which seems to only be available during the login flow + rules processing.


#3

Hey @theogravity !

Totally understand your usecase! Here’s a piece of content that can help you with getting this kind of flow with SMS MFA:

You can also look at this thread as one of our community members is also trying to configure such flow for their iOS app:

Hope it helps!


#4

Thanks for the response, but it unfortunately does not. The guide you posted only works when the login flow is invoked.

If you choose to selectively apply MFA, you will need the appropriate clientID values, and the code will be executed as part of a Rule whenever a user logs in.

I want to also clarify a bit further - is it possible to invoke MFA without having to invoke Auth0 authentication? I have a very custom auth service that is unable to integrate into Auth0 as a connection or a custom OAuth2 app (but I would be creating users in Auth0 with profile information sync’d from the custom auth service), so I’m unable to use the Auth0 log-in portion, but still would like to use the MFA capabilities during specific actions in my app.

Am I reading the wrong section?


#5

Okokok thanks for providing additional clarification.

It is not possible to invoke MFA without having to invoke Auth0 authentication. It is triggered via rules which always execute after successful authentication


#6

Hello, can you guide me how to prompt user for MFA on specific action?
I have frontend client app and backend API.

I want users to be always promted for MFA on call to some endpoints of API.

Login flow:

  1. User clicks on “Log In” button on frontend.
  2. User is redirected to Auth0 login page.
  3. JWT is received on frontend and sent to backend.
  4. On backend ID Token is parsed and user is signed in with associated ApplicationUser (ASP.NET).

Next, suppose, user tries to withdraw some funds.

  1. Frontend makes POST /withdraw.
  2. Backend responds with “MFA required”.
  3. Frontend redirects user to Auth0 with new scope “transfer:funds”
  4. Custom rule is applied and 2fa is requested. But what if user has logged in with MFA initially? Will he be asked to authenticate again?

#7

Hey there @Dragollla!

As I said above the clue here is that it is not possible to invoke MFA without having to invoke Auth0 authentication. It is triggered via rules which always execute after successful authentication

If you want users to be always prompted for MFA on a call to whatever endpoints of an API you need to invoke Auth0 authentication each time calling the API.

Let me know if that helps!


#9

Sure. User is authenticated. I just wanted to clarify that user will be promted for mfa even if he had already authenticated with mfa recently.


#10

If you want him to be faced with MFA whenever he makes the API call then you need to invoke an authentication flow -> which will invoke MFA flow -> then yep he will be prompted for MFA again