Auth0 Home Blog Docs

Silent Login with MFA

mfa
silent-authenticatio

#1

Hi,

We are using Angular with silent login and want to enable multi factor authentication. Both are topics described in the documentation of Auth0. But combining both does not work really well.

When triggering the silent login with MFA, the silent login fails and user interaction is needed. There is one workaround for Google Authenticator that has the option to remember the browser for 30 days. As this will skip the MFA for 30 days, the silent login won’t need interaction for that duration.

Questions / remarks:

  1. the silent login does not work correctly with MFA at this moment, though one workaround might exist. I see nothing about this problem in the docs or any warning. It should be noted clearly what the limitations are for combining both.

  2. Silent login should never trigger MFA. MFA always needs user interaction, even if you remember the browser, it is only temporary. Silent login means that you are authenticated, but are requesting a new token. This flow should be different than the initial user login. To be secure, the silent login should frequently refresh the token, but we cannot have the user login every half hour or so.

  3. The workaround with Google Authenticator works by setting a configuration option allowRememberBrowser to true. This option is also available for other MFA such as SMS, but in that case, the configuration seems to trigger the checkbox to show to the user instead of setting it behind the scenes. So one configuration option seems to behave differently for other ways of MFA. This is confusing and should be avoided. The option should do the same, perhaps a new configuration name is needed for showing the checkbox and allow the user to choose. Note that this is the problem with the silent login combination, if the user does not tick the checkbox, the silent login fails.

Our customer needs multiple ways of MFA, not only Google Authenticator. At this moment we don’t see any way to properly provide this in combination with silent login.

Kind Regards,
Jan


#3

That is correct that when attempting to renew tokens via silent authentication you can get an error like mfa_required or login_required Multifactor authentication required or similar error. And as you mentioned we are able to remember and skip MFA for 30 days, by setting the allowRememberBrowser to true as outlined here: https://auth0.com/docs/multifactor-authentication/custom#change-the-frequency-of-authentication-requests - so that is a way to have silent authentication working with MFA (I believe you mean to say silent authentication and not silent login - please clarify with me if that is not the case). And as you mention about the user not ticking the checkbox, we would at this time not be able to pybass MFA since (if we defined a bypass criteria in rules let’s say) I don’t think there’s a reliable way to detect if the authentication is being performed based on an existing session or based on user inputting credentials.

With that being said, if the allowRememberBrowser option is not enough to satisfy our use case, we can put forward a feature request for a way to support MFA and silent authentication for this (if one has not been put forward yet) .


#4

Thanks for replying.

We found that the allowRememberBrowser=true will behave differently and for non Google Authenticator options will depend on the user to correctly set that checkbox. So it seems unreliable to use.

In addition after some more discussions, we also came to the conclusion that trying to set the allowRememberBrowser is actually a bad thing. Only the user knows if the environment in which he/she works in is safe to remember the browser. So we should never set this by default.

We are also communicating with Auth0 through mail and got a proposed solution by checking context.request.query.prompt !== “none” in the MFA rule. This seemed to work, but after some testing we found that we have a security hole to bypass MFA completely with this scenario:

  1. we go to our application
  2. application redirects to Auth0
  3. login with username/password
  4. when guardian pops up stop and go back to application url
  5. application redirects to Auth0
  6. intercept redirect url and add prompt=none
  7. MFA is bypassed

So we are back to the drawing board. Hopefully Auth0 will assist us in finding a solution or implementing a new feature.

Kind Regards,
Jan