Problem Statement:
Every time users open an application, MFA is required even if they entered the MFA code only a few seconds ago.
Solution:
Users are always required to use an additional factor to log in if the MFA is enabled and MFA policy is set to “Always” on the Auth0 tenant. This is the expected behavior.
If you are interested in having the user enter MFA once per session and navigate anywhere in your app, or if you want to configure step-up Authentication where users are prompted for MFA only on certain routes, here are the details:
-
Select “Never” in the MFA policy.
-
Require MFA once per user session: Multi-Factor Authentication (MFA)
-
For Step Up Auth: check this doc on github.
Reference Materials: