Stepup Authentication

We would like to implement OTP verification for critical transactions, and our use case is as follows:

1)The user registers with Auth0 using email, password, OTP, and Biometrics.
2)After registration, the user lands in the application.
3)The user can perform all normal transactions without additional OTP verification.
4)For critical transactions, such as burning loyalty points in our retail app, the user must verify themselves with an OTP before proceeding.

I have reviewed the relevant blogs and documents, but some parts remain unclear. Our goal is to have the application call back to Auth0 when the user initiates a critical transaction, prompting Auth0 to display an OTP page. After verification, the response should be sent back to the application.

Based on my understanding, the app should call the Auth0 MFA API, take the response, and then display an OTP page (which needs to be developed by the app team since the API only returns a response). Once the OTP is validated, the user can perform the critical transaction.

Please confirm if our understanding is correct. Thank you.

Hi @rameshkumar.gorthi,

Yes, your understanding is correct :clap:.

However, your app team does not need to develop a separate OTP page.

You would need to redirect the user to the login page again and prompt them with MFA using an Action. Once that’s complete, the new access token will contain the required scopes to perform the critical transaction.

Please refer to this documentation: Configure Step-up Authentication for APIs

Thanks,
Rueben

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.