Strategies to Prompt MFA at Customized Intervals

Problem statement

When a user completes MFA after logging in through Auth0, the user can click a button to 'Remember this device for 30 days ’ not to be prompted the next time they log in. Currently, this is a non-configurable value; however, some use cases require greater granularity when users are prompted with MFA.

Are there any potential strategies that would allow the user to be prompted for MFA at a different time interval?

Solution

NOTE: The following suggestions are not official Auth0 solutions and any custom code is the responsibility of the client to rigorously test before releasing to production.

  1. The following Post-Login Action leverages event.authentication.methods to check if the user has completed MFA, and if so, check it against the current time in order to determine triggering MFA.
exports.onExecutePostLogin = async (event, api) => {
  const CLIENTS_WITH_MFA = ['uALkIXTAdPl0LGlQUbjO7aFu1nVbYoIE'];
  if (CLIENTS_WITH_MFA.includes(event.client.client_id)) {
    console.log(`Starting MFA assessment for ${event.client.name} application`);
    let MINUTES_SINCE_LAST_MFA;
    const REQUIRE_MFA_AFTER_MINUTES = 1;
    const NOW = Date.now();
    const COMPLETED_MFA = event.authentication?.methods.find(x => x.name == 'mfa');
    if (COMPLETED_MFA) {
      MINUTES_SINCE_LAST_MFA = Math.floor((NOW - Date.parse(COMPLETED_MFA.timestamp)) / 60000);
    }
    console.log(`Minutes since last MFA: ${MINUTES_SINCE_LAST_MFA}`);
    if (!MINUTES_SINCE_LAST_MFA || MINUTES_SINCE_LAST_MFA > REQUIRE_MFA_AFTER_MINUTES) {
      console.log(!MINUTES_SINCE_LAST_MFA ? `MFA WAS NOT COMPLETED` : `MINUTES_SINCE_LAST_MFA ${MINUTES_SINCE_LAST_MFA} > REQUIRE_MFA_AFTER_MINUTES ${REQUIRE_MFA_AFTER_MINUTES}`);
      console.log(`Triggering MFA!`);
      api.multifactor.enable('any', { allowRememberBrowser: false })
    } else {
      console.log(`MFA not required.`)
    }
  }
}

The drawback of this Action is that if the user logs out (or the session expires), the MFA object will be deleted from event.authentication.methods, so additional consideration would need to be given for that scenario.

  1. After the user completes the login, add a marker into the user’s metadata with the current timestamp. On subsequent logins, compare the current time to the timestamp stored in the metadata and trigger the MFA based on that.

Unfortunately, MFA is not complete until after Actions have been executed. The workaround is to check the ID Token claims in the application, as mentioned in this Community Article. In this situation, the app could make a subsequent request to update the user’s metadata in Auth0 with the timestamp.

1 Like