User property multifactor_last_modified not found in Action event

Get Help
,
1

Hello,

I have been trying to implement a way to force a new MFA enrollment on next login after an MFA Reset.

The only two ways we have found is either :

  • :cross_mark: Force the MFA everytime → Not something we want to do (we would like to continue using the adaptive MFA)
  • :ok_button: Use a custom action (a template already exists :+1:)
  • (:cross_mark: No built-in functionality in Auth0 apparently)
exports.onExecutePostLogin = async (event, api) => {
    if (event.user.multifactor?.length) {
        api.multifactor.enable('any', { allowRememberBrowser: false });
    }
};

Problems with this code are :

  • :warning: It overrides the genral configuration for the tenant, so if my Dev tenant disables the MFA globally, this code will enforce it → I understand this is by design, so I need more intelligence to that
  • :cross_mark: It also applies to user who are not using the MFA

What I tried then :

exports.onExecutePostLogin = async (event, api) => {
    console.log(JSON.stringify(Object.keys(event.user)));

    if (!!event.user.multifactor_last_modified && event.user.multifactor?.length) {
        api.multifactor.enable('any', { allowRememberBrowser: false });
    }
};

But even though the multifactor_last_modified is documented here User Profile Structure - Auth0 Docs as part of the properties available on the user, it seems there Actions Triggers: post-login - Event Object - Auth0 Docs that it is apparently just not available for the Actions…
(Even though I read there Actions multifactor property missing from event - Auth0 Community that it used to be)

Is that a bug or a missing feature that should have been there from the beginning ?

The only mean to achieve what I want would be using extra user metadata to ensure the action would only trigger when I want ; When integrating with backend application like ourselves, it adds complexity that could have been leveraged by Auth0.

What I am missing :

  • :ok_button: multifactor_last_modified in the user properties in action event
  • OR :white_check_mark: a “Post MFA reset“ trigger to apply the logic of pushing extra metadata to the user in there

Any plans to any of both ?

Did I miss something obvious ? :sweat_smile:

Many thanks for your help

3

Hi @bastien.monsarrat,

Welcome to the Auth0 Community!

You are correct, as while multifactor_last_modified exists in the User Profile (accessible via the Management API), it is not currently projected into the event.user object inside the Login Action, as this is by design. This isn’t necessarily a bug, but rather a limitation of the user object that Auth0 sends to the Actions runtime for performance reasons. The intent of the event.user.multifactor property in Actions is to check if the user is enrolled in MFA or not.

Even though there is no direct built-in functionality for this feature, the easiest and the recommended way of achieving this is indeed using a flag in app_metadata. I understand this would add a bit of complexity from your end, but when your admin or backend resets a user’s MFA via the Management API, simply add a flag to the app_metadata at the same time and condition the Action based on that.

Currently, there are no indicators of these specific timestamps being implemented to the Post-Login event in the immediate future, nor is there a “Post-MFA Reset” trigger, but we highly encourage you to create a Feedback request since other might be interested as well and our Product Team is actively monitoring this page for possible implementations.

Thank you and if you have further questions please let me know!
Best regards,
Remus