Adaptive MFA

Adaptive MFA is a flexible, extensible MFA policy that can help you protect your tenant from bad actors without increasing friction for real users. It assesses potential risk during every login transaction, and then prompts the user for additional verification if appropriate.

How it works

During a login transaction, Adaptive MFA calculates an overall confidence score based on analysis of three risk assessments:

Assessor Risk Signal How it is computed
NewDevice User attempts to sign in from a device that has not been used to access the account in the last 30 days. User agent and browser cookies identify a device. At login time, the device information is compared to the list of devices for the account.
ImpossibleTravel User attempts to sign in from a geolocation that indicates an impossible travel situation when compared to the last login. The distance between the last valid location and the location of the attempted sign in is computed; the time difference between the sign in attempt is used to compute a hypothetical travel velocity. Velocity is compared to a reasonable travel velocity.
UntrustedIP User attempts to sign in from an IP address known to be associated with suspicious behavior. Auth0 uses intelligence from traffic events to determine the likelihood that the IP address has been used by bad actors to perpetrate high velocity attacks.
Overall Risk Score A combination of all 3 factors above. Auth0 uses all 3 scores to assign an overall score. Use Actions if you want to implement your own business logic.

When Adaptive MFA determines the overall confidence score is low (that the login transaction is high-risk), it requires the user to verify their identity with MFA. If the user is not enrolled in MFA, they are required to complete additional verification before they are eligible to do so.

Adaptive MFA includes a comprehensive security flow that ensures the authenticity of users:

Auth0 Login Adaptive multi-factor authentication flow diagram

Adaptive MFA ignores any and all existing MFA sessions (for example, a user selected Remember this browser during a previous MFA flow), and does not allow users to bypass MFA challenges.

Customize Adaptive MFA

You can use Actions to customize the MFA flow and provide the best experience for your users.

To learn more about risk assessments, confidence scores, and customization options, read Customize Adaptive MFA.

Support and limitations

Authorization flows

Adaptive MFA is supported by all authentication and authorization flows that start with the end user. To learn more about the different flows and protocols, read Authentication and Authorization Flows and Protocols.

Protocol Flow Supported
OIDC/OAuth2 Authorization Code Flow Supported
OIDC/OAuth2 Authorization Code Flow with PKCE Supported
OIDC/OAuth2 Implicit Flow with Form Post Supported
OIDC/OAuth2 Hybrid Flow Supported
OIDC/OAuth2 Client Credentials Not supported
OIDC/OAuth2 Device Authorization Not supported
OIDC/OAuth2 Resource Owner Password (ROP) Not supported
SAML Service Provider-Initiated (SP-initiated) Supported
SAML Identity Provider-Initiated (IdP-initiated) Not supported*
WS-Federation N/A Supported
AD/LDAP N/A Supported

*Adaptive MFA is not supported for SAML IdP-initiated flows, but you can simulate the flow with OIDC applications. To learn more, read Configure IdP-Initiated SAML Sign-on to OIDC Apps.

Social connections

Adaptive MFA is fully supported for social connection types where an email address is available for each user.

Adaptive MFA requires an email address to complete the email challenge step that occurs when a user is not enrolled in MFA. If an email address is not available, Adaptive MFA cannot perform the email challenge and the transaction will be blocked. This scenario does not introduce a security risk, but it does limit the functionality of the feature.

If you’ve set up a social connection, and expect an email address to be available but it’s not, verify your configuration and confirm that the correct scopes, claims, and permissions are being requested. To learn more about supported social connections and how to install them, read Social Connections on Auth0 Marketplace.

Auth0 features

The following table lists Auth0 implementations and their functionality with Adaptive MFA:

Login Flow Implementation Adaptive MFA Support Level
Universal Login Supported
Classic Login with no customization Supported
Classic Login (hosted by Auth0), custom login page with lock.js Lock template Supported
Classic Login (hosted by Auth0), custom login page with auth0.js Custom Login Form template Supported
Classic Login (hosted by Auth0), custom login page with email passwordless flow and lock.js Passwordless template Supported
Classic Login (hosted by Auth0), custom login page with SMS passwordless flow and lock.js Passwordless template Not supported, because it does not make an email address available, which is a requirement.
Web or native apps using Resource Owner Password Grant (ROPG) flow (including those using older versions of lock.android and lock.swift SDKs Supported, with the following limitations:
• Works when all end users are already enrolled in MFA (when users are required to enroll on signup). Users who are not already enrolled will be blocked in risky scenarios.
• Risk assessment to determine if a user is logging in from a new device will not work. The ROPG flow does not support the browser cookies needed to determine risk.
• You must pass auth0-forwarded-for header with information from the originating IP address for risk assessments for IP reputation to work.
Native apps using newest version of SDKs that support embedded Universal Login Supported
Native apps using newest version of SDKs and ROPG flow Supported with the following limitations:
• Works when all end users are already enrolled in MFA (when users are required to enroll on signup). Users who are not already enrolled will be blocked in risky scenarios.
• Risk assessment to determine if a user is logging in from a new device will not work. The ROPG flow does not support the browser cookies needed to determine risk.
• You must pass auth0-forwarded-for header with information from the originating IP address for risk assessments for IP reputation to work.
Flows hosted by you (not Auth0) using lock.js or auth0.js that perform cross-origin authentication (co/authenticate endpoint) Supported

Learn more