Determine if a user has performed multifactor authentication

At times, it's necessary to determine if a particular user has had the additional security of multifactor authentication applied to their session. For instance, a user may be allowed access to sensitive data or allowed to reset their password only after further confirming their identity using MFA.

For a particular user session, developers can check the claims information available on the id_token, a JSON Web Token provided by Auth0 that contains claims information relevant to the user's session. After retrieving the id_token, the value of the amr field can be evaluated to see if it contains mfa as a claim.

Note that amr can contain claims other than mfa, so its existence is not a sufficient test. Its contents must be examined for the mfa claim.

This example is built on top of the JSON Web Token Sample Code.

const AUTH0_CLIENT_SECRET = 'YOUR_CLIENT_SECRET';
const jwt = require('jsonwebtoken')

jwt.verify(id_token, AUTH0_CLIENT_SECRET, { algorithms: ['HS256'] }, function(err, decoded) {
   if (err) {
     console.log('invalid token');
     return;
   }

   if (Array.isArray(decoded.amr) && decoded.amr.indexOf('mfa') >= 0) {
     console.log('You used mfa');
     return;
   }

   console.log('you are not using mfa');
 });

Further reading