We are planning to migrate our existing platform to auth0 and we are leaning towards universal login more specifically the Authorization Code Flow w/ PKCE. This topic is clear to us but we are unable to determined how we can implement 2FA to our existing platform, 2FA is critical to our platform since we are in financial industry.
I’ve did some digging but most of the community questions i’ve encountered either does not explain anything or no support at all. Also there are no quickstarts for this topic.
We are also aware of the step-up authentication which seems to be ideal approach but we want to know if there are other options, where we can trigger 2FA when a user does certain action to our app or even through an api call.
We use .net and for this you need to challenge Auth request again for example using cusom attribute on API endpoint or controller… challenge with mfa requirement…
You will add post login rule/action to enforce mfa if specific flag is present in request…
we use similar action to enforce mfa per user since Auth0 does not offer per user enable support only global for all… so in our app user can decide if he is using MFA or not from profile page…
We use NodeJS/Express.
Yes we are looking something similar and this what the step-up authentication seems to be, requiring certain scope to transfer endpoint and client redirects to /authorize and the rule will trigger the 2FA if the request has the required scope for transfer and an updated token with the required scope is return to the application… The only problem here is the user won’t be ask again for 2FA if another transfer is made since the token is already updated with scope,
is your application returning an updated token with required scope? or it just redirects back to client after successful 2FA Challenge and proceeds with the request?
Yes in .net we have something called attributes so when it is required to trigger mfa i force re-auth inside this decorator and just if result is ok what means token is still present i continue from attribute to concrete API call/method otherwise I throw 401…