We are using Angular with silent login and want to enable multi factor authentication. Both are topics described in the documentation of Auth0. But combining both does not work really well.
When triggering the silent login with MFA, the silent login fails and user interaction is needed. There is one workaround for Google Authenticator that has the option to remember the browser for 30 days. As this will skip the MFA for 30 days, the silent login won’t need interaction for that duration.
Questions / remarks:
the silent login does not work correctly with MFA at this moment, though one workaround might exist. I see nothing about this problem in the docs or any warning. It should be noted clearly what the limitations are for combining both.
Silent login should never trigger MFA. MFA always needs user interaction, even if you remember the browser, it is only temporary. Silent login means that you are authenticated, but are requesting a new token. This flow should be different than the initial user login. To be secure, the silent login should frequently refresh the token, but we cannot have the user login every half hour or so.
The workaround with Google Authenticator works by setting a configuration option allowRememberBrowser to true. This option is also available for other MFA such as SMS, but in that case, the configuration seems to trigger the checkbox to show to the user instead of setting it behind the scenes. So one configuration option seems to behave differently for other ways of MFA. This is confusing and should be avoided. The option should do the same, perhaps a new configuration name is needed for showing the checkbox and allow the user to choose. Note that this is the problem with the silent login combination, if the user does not tick the checkbox, the silent login fails.
Our customer needs multiple ways of MFA, not only Google Authenticator. At this moment we don’t see any way to properly provide this in combination with silent login.