Auth0 Home Blog Docs

Unable to renew token when MFA is enabled

mfa
silent-authenticatio

#1

I am using the webAuth.checkSession method to silently renew the token. It all worked well but when I enabled MFA. the renew failed with the following error {error: "login_required", error_description: "Multifactor authentication required"}

Is there a way to keep the renew feature working with MFA is enabled?

My case is :

  1. User enter username/password and perform MFA Guardian

  2. User logged in successfully and the checkSession to renew token will succeed.

  3. After user logged out they need to perform the MFA Guardian again.


#2

There is a topic which have the same issue as I am https://community.auth0.com/questions/9379/silent-auth-fails-due-to-mfa-switched-on

@jmangelo could you please give me your advice on this. Thanks


#3

As mentioned in the answer to the question you linked to if you allow end-users to remember their browsers then checkSession will succeed for those that opted-in to that option so technically that’s a way to have silent authentication working with MFA, however, I’m guessing your exact requirements are not satisfied by the above. If that’s the case you should update the question with some more context information about your case; for example, do you want to always bypass no matter user selection or any other things you require.


#4

@jmangelo I have updated my case. All I want is when user has logged in successfully and performed MFA the MFA should be bypass in the renew token. But when user logged out and re-login they need to perform MFA again


#5

@jmangelo Could you please help me on this as I don’t know how to make the silent renew token work when MFA is enabled


#6

As mentioned in the answer when remember browser is enabled and the end-user chooses it then refreshing is possible. Are you having an issue with that or with MFA not being triggered after logout?


#7

My issue is that I want after login successfully(performed MFA) the MFA need to be bypassed regardless the user select “allow browser remember” or not when perform Silent Authentication. But when we log-out I want the MFA to be trigger normally.

Is there a way to do this? Thanks


#8

The part about bypassing MFA regardless of the user selection I don’t thinks is possible because you can define a bypass criteria in rules, but to my knowledge there’s no reliable way in rules to detect if the authentication is being performed based on an existing session (bypass MFA) or based on user inputting credentials (after logout; do not bypass MFA).


#9