Unexpected Challenge or Error with MFA API Access Token Request

Overview

This article explains why an unexpected Multi-Factor Authentication (MFA) challenge occurs or an error message is displayed when a user attempts to obtain an MFA API access token using the https:///mfa/ audience. The error encountered is:

No MFA factors enabled for enrollment

Applies To

  • MFA API
  • Access Tokens with MFA Audience

Cause

Calls to the MFA API that specify an audience of https:///mfa/ when the user has active enrollments will result in a challenge with enrolled factors. This behavior prevents the subsequent manipulation of enrolled factors without the completion of the requisite MFA challenge(s). This enforcement began on August 30, 2024, and occurs regardless of whether tenant settings or Actions trigger MFA.

Tenant log errors, such as error: invalid_request or error_description: No MFA factors enabled for enrollment, may occur if no MFA factors are enabled on the tenant and the /mfa/ audience (i.e., http://<tenant domain>/mfa/) is requested.

Solution

Review the implementation to determine the objective of obtaining an MFA token without full authentication and consider alternative approaches.

  • For example, if this technique is used to retrieve a list of enrolled authentication methods to challenge end-users with a specific factor, Auth0 provides functionality to specify which enrolled MFA factor to use for a challenge with Actions. For more information, refer to Customize MFA Factor Selection in Universal Login.
  • It is recommended to test this behavior in a development environment or during a controlled period to identify any adverse impacts of requiring an MFA challenge.