User stuck in MFA stage of login if they are unable to pass MFA

When using the New Universal Login Experience configured with Auth0 Guardian SMS MFA, If the user is unable to pass MFA, they will be stuck on that page and there is no way to invalidate their session to sign in with a different user. Refreshing the page in attempt to sign in with a different account will skip the username + password flow and bring you straight back to this MFA challenge. The only way for the user to unblock themselves is for them to delete their cookies.

I see two solutions to this issue:

  1. Do not create a validated Auth0 session until the user has successfully passed both the username + password step, as well as MFA.
  2. Have a link within the MFA dialogue that allows the user to abort the MFA flow and sign in with a different user.

Thanks for taking the time to create this feature request!

Agreed. Additionally, for TOTP authentication it does not show the account for which authentication is requested, making this extra challenging. A ā€˜cancel sign inā€™ button is sorely needed here as this scenario is impossible to handle from the application side.

2 Likes

Thanks for the additional context @martijn1

The same to Account Register flow with New Universal Login Experience.
There must be option(s) for user to cancel registration/sign-in then go with another user/action to escape MFA enroll page.

1 Like

Sounds like this is similar to https://community.auth0.com/t/feature-allow-users-to-logout-from-the-mfa-flow/72206. Dan, could you merge the threads to avoid wasting votes?

1 Like

@dev35, good catch, Iā€™ll take care of that.

1 Like

Merged from another thread:

Feature:
Allow users to ā€œlogoutā€ or reset the login flow from the MFA screen.

Description:
During the login flow, once you submit valid credentials and are pushed into the MFA prompt, there is no way to go back and enter different credentials. This is problematic in the case that the user cannot complete MFA due to not being the account owner, loss of access to the MFA method, etc.

For example, a shared household machine may have multiple credentials saved in the browser. If you were to accidentally submit the wrong credentials, you would be entered into the MFA flow with no way to complete it or escape it short of clearing your browser data - a solution that is not overtly clear to the average user.

1 Like

Hi @haydenbass13,

Welcome to the Auth0 Community!

Thank you for your valuable Feedback.

Please donā€™t forget to vote for this Feedback!

Thank you.

1 Like

Any updates on this issue?

1 Like

Hi folks, Iā€™ve brought this up to our team and added it to the backlog, no ETA at this time.

It would be helpful to know the scope of effect for this issue. Are you seeing users blocked by this in the field? Or is this something that you are running into during the development process?

Hi all,

One of our engineers was able to develop a solution for this using https://auth0.com/docs/customize/universal-login-pages/universal-login-page-templates page templates.

Give your users the option to switch users by adding a link in the footer to the logout endpoint. This will clear the session.

You can render the link only for the MFA page using a conditional:

    {% if prompt.name contains "mfa"  %} 
    <footer class="footer">
        <ul>
          <li><a href="https://{YOUR_DOMAIN}/v2/logout">Sign in with a different account</a></li>
        </ul>
      </footer>
    {% endif %}

Hereā€™s an example:

1 Like

Thanks for the solution Dan. But what about in case of Native app? In Native app I donā€™t have the URL to return to. Would be great to hear from you

The provided workaround might seem like a solution, and it would be if you only have one application per tenant. Given this is MFA page is tenant wide, how do you specify a different redirect for each application? The MFA page doesnā€™t have any clientid, or redirect in the query params?

This solution does not work for Google Sign In. Is there another workaround?

A post was split to a new topic: Customize MFA Page with logout link

Could you please provide an update on this issue? Iā€™m trying to use the default design for universal login without any custom changes. However, when I try to add the logout logic to the Customize MFA Page, it completely changes the design, and Iā€™m unable to find a way to modify the widget design when using the Customize MFA Page.

In the action you can deny with HTML to provide a logout link with the returnTo param:
api.access.deny(
<a href="https://${event.request.hostname}/v2/logout?client_id=${event.client.client_id}&returnTo=${event.request.query.redirect_uri}"> Link </a>
)