Hi @kevinzhao,
Thanks for your question.
According to this documentation it mentions that when https://AUTH0_DOMAIN/mfa/ is specified as the audience, MFA is enforced. This means that completing MFA is unavoidable.
I would add that the user can still select and enroll in whichever MFA methods you have configured on the Universal Login by clicking the Try another method option.
As for a custom MFA interface to allow your users to accomplish the same behavior, the user must complete the required MFA prompt to get an MFA access token to call any endpoints in the MFA API.
There is an option to use a post-login action to first redirect your users to a custom page to let them decide whether to skip or proceed with MFA. After the authentication resumes, you can save their preference from their selection and enforce or skip MFA.
There is the api.authentication.challengeWithAny(factors) method in a post-login action to prompt users with an MFA picker to select their preferred MFA method on the Universal Login.
This way, you can continue to leverage the Universal Login UI for the MFA picker.
Let me know if you have any questions about this.
Thanks,
Rueben