In my application, if a user does something that might be of importance (ex: confirm their account deletion), I’d like to prompt for MFA.
From my Auth0 MFA research, it seems that I can only trigger MFA during a login flow. Is this correct?
I noticed there is the challenge API, but that requires the mfa_token, which seems to only be available during the login flow + rules processing.