Overview
Organizations utilizing Auth0 for authentication may require the application of two-factor authentication (MFA) for certain database connections, such as the Auth0 username-password database while opting to exclude MFA for other enterprise connections where MFA is managed by the identity provider (IdP). This selective application of MFA needs to be controlled directly within the Auth0 environment without affecting other authentication flows.
Solution
To address this requirement, a custom Post-Login action can be implemented in Auth0 that selectively triggers MFA based on the connection type. Here are the steps to set this up:
Step 1: Create a Custom Action
- Navigate to the Actions section in the Auth0 dashboard and select the Flows tab.
- Click on the Login flow, and on the right, see the Add Action option. Press the + plus button and select Build from Scratch.
- Type a meaningful name and press Create.
- Insert the following script in the custom action editor:
exports.onExecutePostLogin = async (event, api) => {
if (event.connection.name) === "Username-Password-Authentication") {
api.multifactor.enable("any");
}
};
NOTE: This script checks the name of the connection used during the login attempt. If the connection is “Username-Password-Authentication” MFA is enabled.
Step 2: Add the Action to the Post-Login Flow
-
After creating and saving the custom action, drag the new action into the desired position within the Post-Login flow. This ensures the action runs after authentication but before the session is established, applying MFA only for the specified connection.
-
Then press Apply.
These steps enable organizations to selectively apply MFA, ensuring enhanced security for sensitive connections while maintaining user convenience for others. This approach offers flexibility in managing authentication policies within the Auth0 environment.