We are using Angular with silent login and want to enable multi factor authentication. Both are topics described in the documentation of Auth0. But combining both does not work really well.
When triggering the silent login with MFA, the silent login fails and user interaction is needed. There is one workaround for Google Authenticator that has the option to remember the browser for 30 days. As this will skip the MFA for 30 days, the silent login won’t need interaction for that duration.
Questions / remarks:
the silent login does not work correctly with MFA at this moment, though one workaround might exist. I see nothing about this problem in the docs or any warning. It should be noted clearly what the limitations are for combining both.
Silent login should never trigger MFA. MFA always needs user interaction, even if you remember the browser, it is only temporary. Silent login means that you are authenticated, but are requesting a new token. This flow should be different than the initial user login. To be secure, the silent login should frequently refresh the token, but we cannot have the user login every half hour or so.
The workaround with Google Authenticator works by setting a configuration option allowRememberBrowser to true. This option is also available for other MFA such as SMS, but in that case, the configuration seems to trigger the checkbox to show to the user instead of setting it behind the scenes. So one configuration option seems to behave differently for other ways of MFA. This is confusing and should be avoided. The option should do the same, perhaps a new configuration name is needed for showing the checkbox and allow the user to choose. Note that this is the problem with the silent login combination, if the user does not tick the checkbox, the silent login fails.
Our customer needs multiple ways of MFA, not only Google Authenticator. At this moment we don’t see any way to properly provide this in combination with silent login.
That is correct that when attempting to renew tokens via silent authentication you can get an error like mfa_required or login_required Multifactor authentication required or similar error. And as you mentioned we are able to remember and skip MFA for 30 days, by setting the allowRememberBrowser to true as outlined here: https://auth0.com/docs/multifactor-authentication/custom#change-the-frequency-of-authentication-requests - so that is a way to have silent authentication working with MFA (I believe you mean to say silent authentication and not silent login - please clarify with me if that is not the case). And as you mention about the user not ticking the checkbox, we would at this time not be able to pybass MFA since (if we defined a bypass criteria in rules let’s say) I don’t think there’s a reliable way to detect if the authentication is being performed based on an existing session or based on user inputting credentials.
With that being said, if the allowRememberBrowser option is not enough to satisfy our use case, we can put forward a feature request for a way to support MFA and silent authentication for this (if one has not been put forward yet) .
We found that the allowRememberBrowser=true will behave differently and for non Google Authenticator options will depend on the user to correctly set that checkbox. So it seems unreliable to use.
In addition after some more discussions, we also came to the conclusion that trying to set the allowRememberBrowser is actually a bad thing. Only the user knows if the environment in which he/she works in is safe to remember the browser. So we should never set this by default.
We are also communicating with Auth0 through mail and got a proposed solution by checking context.request.query.prompt !== “none” in the MFA rule. This seemed to work, but after some testing we found that we have a security hole to bypass MFA completely with this scenario:
we go to our application
application redirects to Auth0
login with username/password
when guardian pops up stop and go back to application url
application redirects to Auth0
intercept redirect url and add prompt=none
MFA is bypassed
So we are back to the drawing board. Hopefully Auth0 will assist us in finding a solution or implementing a new feature.
I was wondering if you ended up figuring a solution for this problem? We are running into the exact same situation.
I feel like Auth0 should only trigger an MFA challenge if the user is not already logged in. In some sense, this is an issue with more than just the Silent Auth, it’s for the whole SSO workflow. I should not have to re-enter my MFA code if I have a valid SSO session.
At the moment we have chosen to increase the token lifetime to a few hours. After this the silent login triggers the mfa challenge again. Not an ideal situation, but Auth0 is looking into this issue and we hope to finally be able to adjust our lifetime and have it working without too much of a workaround in place.
I’ve had some additional email communications with the Auth0 folks regarding this issue in mid December and they responded that it was on their roadmap and that they were planning to work on this in the near future.
Sorry for the late reply, didn’t see the mail. We are still using longer token lifetimes, but it seems that Pascal has found a workaround that we can try out as well. I’m no longer developing on that project, so I’ll check with the current team to see if this approach works with our setup.
Still I hope to see a better solution in Auth0 in the future.