Auth0 Home Blog Docs

Scopes for Step-Up authentication



I want to add Step-Up authentication to my single-page web application that uses Auth0 lock widget.
The MFA should be triggered on certain action e.g. “Sign contract”.

In Auth0 documentation I have found two ways to do that:

Could you please explain what is the difference and which one is preferable for single-page web app.


As somewhat hinted in the notice available in the first link you mentioned given that acr_values are now supported that should be your choice as they are standardized while the step_up flag was a custom implementation. In addition, to my knowledge the fact that the client application is a SPA should not affect this decision in any way.