Step up authentication not working

Hi Team,

I am trying to trigger MFA for custom use cases. I have an api and an MVC WebApp registered with Auth0, I have a rule created with the permission claim as if condition. Whenever that claim is added in the token, MFA should trigger is my requirement. But this is not working as expected. Could anyone please help me with this.

If any step-by-step example available also, kindly share the same. Thanks a lot in advance.

Hi @mail2ganeshks,

Our first recommendation would be to review the steps covered in our documentation for setting up Step up authentication for web apps: Configure Step-up Authentication for Web Apps

It may also help to review our MFA troubleshooting guide as well: Troubleshoot Multi-Factor Authentication Issues

Would you describe a bit more about how it is not working as expected? Are you not seeing an MFA prompt even though the condition within your rule is met?

1 Like

Step-up Authentication for Web Apps

In a Web App, we can implement step-up by inspecting the AMR (Authentication Method Reference) claim in the ID Token that was issued to the Authenticated User. The ID Token should contain amr as one of the claims and one of the values for that claim should be mfa.

Steps –

  1. A Rule is to be setup on Auth0 to challenge the User with an additional factor when the application requests for it. The acr_values parameter value can be anything.
    if (context.request.query.acr_values === ‘http://schemas.openid.net/pape/policies/2007/06/multi-factor’){
    context.multifactor = {
    provider: ‘any’,
    allowRememberBrowser: false
    };
    }
  2. If the Authenticated User clicks on the page that has the sensitive data and is not already authenticated for MFA, then the App should send a request for Authentication that includes the following extra parameter – acr_values=http://schemas.openid.net/pape/policies/2007/06/multi-factor and the Auth0 rule will trigger an MFA
  3. The user will have to key-in the Phone number (if it’s the first time) and an OTP will be sent.
  4. After a successful MFA, the newly issued ID Token should have the amr claim (with mfa value)

Resources