Category: Auth0 Universal Login (ACUL) / Custom Screens
Body:
I’m using Advanced Customizations for Universal Login (@auth0/auth0-acul-js) with a custom screen for mfa-webauthn-platform-enrollment.
Steps to reproduce:
- User authenticates successfully and is prompted to enroll a platform authenticator (Touch ID / Windows Hello) on the
mfa-webauthn-platform-enrollment screen.
- User clicks “Skip”, which calls
refuseEnrollmentOnThisDevice() (also tested snoozeEnrollment() — same result).
- Per the SDK docs, “On success, Auth0 handles redirection” — so I’d expect the transaction to complete and redirect to the application’s
redirect_uri.
Actual behavior:
Instead of completing authentication and redirecting to the application, the user is sent back to the login screen, as if the transaction restarted rather than continued.
Question:
Is there tenant-side configuration (e.g., a Login Flow Action, or MFA enrollment policy) that determines what happens after refuseEnrollmentOnThisDevice / snoozeEnrollment is called? What should be checked to ensure the flow proceeds to complete login rather than restarting authentication?
Environment:
@auth0/auth0-acul-js: ^1.1.0
- Screen:
mfa-webauthn-platform-enrollment
- Custom Universal Login (ACUL)
This version has no repo, file, or organization references — just the SDK, screen name, and behavior.
Hi @dhrupal.patel
Welcome to the Auth0 Community!
You are asking whether there is tenant-side configuration—such as a Login Flow Action or MFA enrollment policy—that determines what happens after calling refuseEnrollmentOnThisDevice() or snoozeEnrollment() on the mfa-webauthn-platform-enrollment screen in Advanced Customizations for Universal Login (ACUL), and why the user is being sent back to the login screen instead of completing authentication and redirecting to the application.
Root Cause: Auth0 does not officially support optional MFA enrollment with skip or snooze functionality. When MFA enrollment is triggered (either through a post-login Action using enrollWith() or through an MFA enrollment policy), the platform expects the enrollment to be completed before the authentication transaction can proceed. Calling refuseEnrollmentOnThisDevice() or snoozeEnrollment() does not advance the authentication flow; instead, it leaves the transaction in an incomplete state, which causes the system to restart the login flow.
Official Workaround: To allow users to skip WebAuthn platform authenticator enrollment and continue to your application, you must use a post-login Action to make the enrollment optional rather than mandatory. Follow these steps:
-
Navigate to Auth0 Dashboard → Actions → Flows → Login.
-
Create or edit a post-login Action that uses enrollWithAny() instead of enrollWith(). The enrollWithAny() method allows users to skip enrollment if they have at least one other MFA factor already enrolled, or it permits the flow to continue without forcing enrollment completion.
exports.onExecutePostLogin = async (event, api) => {
// Only prompt for WebAuthn enrollment if the user has no other factors
if (event.user.enrolledFactors.length === 0) {
api.authentication.enrollWithAny({ factors: \['webauthn-platform'\] });
}
};
- Alternatively, use conditional logic in your post-login Action to check whether the user should be prompted for enrollment at all. This allows you to skip the enrollment screen entirely for certain users or conditions:
exports.onExecutePostLogin = async (event, api) => {
// Only enroll if user is in a specific group or meets a condition
if (event.user.app_metadata.requiresWebAuthnEnrollment) {
api.authentication.enrollWith({
factors: \['webauthn-platform'\]
});
}
};
-
Verify that “Customize MFA Factors using Actions” is enabled in your tenant. Navigate to Auth0 Dashboard → Security → Multi-factor Auth → Additional Settings and confirm the toggle is on. Without this setting enabled, custom Actions will not control the MFA enrollment flow.
-
Test the flow using the Auth0 CLI to validate that calling refuseEnrollmentOnThisDevice() or snoozeEnrollment() now allows the user to proceed to the application redirect URI instead of restarting login.
Important limitation: The ACUL SDK methods refuseEnrollmentOnThisDevice() and snoozeEnrollment() are designed to defer enrollment, but they do not automatically complete the authentication transaction. The tenant-side configuration must be set up to allow the flow to proceed without mandatory enrollment. If your post-login Action uses enrollWith() (which forces enrollment), these methods will not advance the user past the enrollment screen.
What to check on your tenant:
- Confirm that your post-login Action is using
enrollWithAny() or conditional logic, not enrollWith().
- Verify that the “Customize MFA Factors using Actions” toggle is enabled.
- Check your tenant logs (Monitoring > Logs) for any errors or flow rejections that occur after the user calls
refuseEnrollmentOnThisDevice().
- Ensure no MFA enrollment policy rule is forcing mandatory WebAuthn platform enrollment for all users.
See the Auth0 documentation on customizing MFA enrollments for Universal Login to review all available options and examples.
We hope this resolves the issue.
Kind Regards,
Nik