We’re trying to understand what pieces are needed to put our desired solution together and we’re having a bit of trouble understanding the documentation.
Using a redirect flow for a standard web application, we want the user to log in with a username and password, followed by MFA from an authenticator app. Following the initial login, for certain operations within the platform, we want to reverify the users MFA. I can’t seem to find this written down in any documentation, all references to “step-up” MFA refer to the user not having MFA during login, and then requesting it for certain actions, but we would like it for both.
The second question is: is there a simple way to verify a token on a users authenticator app without any previous requests being made to Auth0? For arguments sake, consider a bank withdrawal. We would like to have, in a single form, the fields:
Ideally, we would simply send the OTP to Auth0 through some API, along with the users token, and it would give us a yes/no answer as to whether the OTP was valid.