Platform
Platform
Drop-In Authentication
Passkeys
Phishing-resistant, FIDO2/WebAuthn
Biometric authentication
Face and device-native biometrics
WhatsApp OTP
Global reach, lower cost than SMS
Email OTP
Universal second factor
App push authentication
Native device push notifications
Palm biometrics
Contactless identity verification
All authentication methods
KEY FEATURES
No-code rules engine
Step-up auth, risk policies, alerts
User observability
Audit trails, dynamic linking
Risk-based authentication
Adaptive MFA by context
Session management
Persistent sessions across channels
Digital credentials API
Verify sovereign digital IDs
Pre-built UI
Fastest deployment path
Passkeys
Deploy phishing-resistant passkeys across web and mobile in days
Solutions
Solutions
USE CASE
Account Takeover Prevention
Stop ATO without adding friction
Go Passwordless
Replace passwords with passkeys
Account Recovery
Secure self-service recovery flows
Call Centre Authentication
Verify callers without KBA
SMS Cost Optimisation
Cut OTP costs up to 90%
Existing Apps (Drop-In)
Add auth without re-architecting
Palm biometric payments
Contactless in-store payments
INDUSTRY
Financial Services & Banking
Secure high-value transactions
Healthcare
Authentication for ePHI access
Loyalty Programs
Protect points and member accounts
ROLE
Engineering
Fast integration, flexible SDKs
Product
No-code flows, conversion insights
Cybersecurity
Risk policies, compliance, audit trails
PricingCustomers
Resources
Resources
LEARN
Blog
Guides
Regulatory
Templates
Docs
COMPANY
About Us
Why Authsignal
Partners
Careers
Security
Contact
INTEGRATIONS
Amazon Cognito
Auth0
Azure AD B2C
Custom identity provider
Duende IdentityServer
All integrations
Docs
Start a trial
Book a callLogin
AUS Flag

Authsignal secures millions of passkey transactions out of our hosted Sydney region.

AUS Flag

Authsignal secures millions of passkey transactions out of our hosted Sydney region.

Join us today!
Right icon
Blog
/
Current article
Guides
Auth0 integration
Risk based authentication
Flexible multi-factor authentication
Integration
No-code rules engine

Adaptive MFA for Auth0: Customize MFA UX to reduce consumer friction without upgrading your plan.

Chris Fisher
⬤
May 19, 2025
Share
Adaptive MFA for Auth0: Customize MFA UX to reduce consumer friction without upgrading your plan

In a previous blog post we demonstrated how to enable MFA for Auth0 using Authsignal and outlined some of the benefits - for example, the ability to enable additional MFA factors without having to upgrade your Auth0 plan.

In this blog post, we will dive deeper into how you can fine-tune the MFA user experience with only some minor tweaks to your integration code.

Controlling the frequency of MFA challenges based on device

Once you’ve set up the basic integration to use Authsignal for your MFA journey, the default behavior will require users to complete an MFA challenge every time they sign in. Depending on how long your session is, this can add additional friction for users, and it is important to find the right balance between security and UX.

Configuring a rule

To help achieve this balance, you can configure a rule for your Auth0 login action in the Authsignal Portal based on the user’s device. If a user has successfully completed an MFA challenge within a previous time window - for example, within the last 24 hours, then you can set the outcome to ALLOW.

Device last authenticated at rule

This means if a user’s device has already been authenticated within the previous day, the rule will be triggered, and the action’s default outcome of CHALLENGE will be overridden by an ALLOW outcome. As a result, the user will skip the MFA step after entering their username and password.

Sending a device ID

For this rule to take effect, you must also send a device ID to Authsignal so the user’s device can be consistently identified.

You may already have a persistent device ID value that your app is managing—for example, in local storage or in a cookie—in which case we recommend sending this value to Authsignal. On the other hand, if you’re not already tracking the user’s device, you can use the Authsignal Web SDK in your web app code, which exposes an anonymousId field for a persistent value stored in a cookie.

Once you have the device ID value available in your app, you can pass it through to Authsignal via your Auth0 integration code. This can be achieved by adding device_id as an **authorization param.**

What this looks like in practice depends on exactly which Auth0 library you use. For example, if using the auth0-spa-js library:

await loginWithRedirect({
  authorizationParams: { device_id: authsignal.anonymousId },
});

Or if using the auth0-react library:

<Auth0Provider...
  authorizationParams={{
    device_id: authsignal.anonymousId,
  }}>  
  <Component {...pageProps} />
</Auth0Provider>

Or if using the nextjs-auth0 library:

await handleLogin(req, res, {
  authorizationParams: { device_id: authsignal.anonymousId },
});

Once you’ve successfully managed to pass a device ID via your Auth0 integration code, you’ll see it appear when viewing your Auth0 login actions in the Authsignal Portal.

Action data

Using your internal user ID

So far, we’ve examined how you can reduce consumer friction by controlling the rate at which users must complete an MFA challenge on the same device during login.

Another way to reduce friction while maintaining security is to challenge the user not at login but at another point when they’re further along in your app’s user journey. For example, this could occur when they’re viewing more sensitive data or when they’re making a more high-risk transaction. This kind of MFA is sometimes called “contextual MFA” or “transactional MFA,” and rules are often useful in controlling the exact conditions for triggering it.

It’s easy to integrate with Authsignal to add contextual MFA to any part of your app using our flexible integration model based on tracking actions. However, this also often means integrating in a context where your app is identifying users not by their Auth0 user ID but by your own internal user ID. And if you’re integrating with Authsignal from multiple integration touchpoints - as part of your Auth0 login flow but also outside this flow - then it’s essential to use a consistent user ID across all of them.

Fortunately, it’s simple to adapt your Auth0 integration to send Authsignal your internal user ID. This can be achieved by updating your Auth0 action code snippet:

const {  
  handleAuth0ExecutePostLogin,  
  handleAuth0ContinuePostLogin,
} = require("@authsignal/node");

exports.onExecutePostLogin = async (event, api) => {
  const userId = event.user.user_metadata["your_internal_user_id"];  
  
  await handleAuth0ExecutePostLogin(event, api, { userId });
};

exports.onContinuePostLogin = async (event, api) => {
  const userId = event.user.user_metadata["your_internal_user_id"];
  
  await handleAuth0ContinuePostLogin(event, api, { userId });
};

Auth0 provides multiple different options for where you can store your internal user ID - for example, as app_metadata, or as user_metadata - but whichever option you choose, you can look up the value when handling the Auth0 action event and pass it through to the Authsignal Node SDK. The result will be that your users are consistently identified, whether they’re doing MFA on login or contextual MFA at a later point in your app’s user journey.

Question icon
Have a question?
Talk to an expert
NewsletterDemo PasskeysView docs
Guides
Auth0 integration
Risk based authentication
Flexible multi-factor authentication
Integration
No-code rules engine

You might also like

The passkey UX patterns that drive adoption in 2026
Passkeys
Passkeys implementation

The passkey UX patterns that drive adoption in 2026

July 2, 2026
What is silent network authentication, and how does it work?
Silent Network Authentication
SNA

What is silent network authentication, and how does it work?

June 26, 2026
HIPAA MFA requirements and what to do before the final rule lands
Passkeys
Step up authentication
Adaptive MFA
SMS Alternative

HIPAA MFA requirements and what to do before the final rule lands

July 4, 2026

Secure your customers’ accounts today with Authsignal

Passkey demoCreate free account
Authsignal Purple Logo

Authsignal is a drop-in authentication and orchestration layer for consumer-facing businesses. Passkeys, adaptive MFA, and omnichannel verification on top of your existing identity stack. Deployed in weeks, not quarters.

AICPA SOCFido Certified
LinkedInTwitter
Platform
Drop-In Authentication
PasskeysBiometric authenticationWhatsApp OTPEmail OTPApp push authenticationPalm biometricsSMS OTPEmail OTPMagic LinksAuthenticator apps (TOTP)
View all auth methods
KEY FEATURES
No-code rules engineUser observabilityRisk-based authenticationSession managementDigital credentials APIPre-built UI
All authentication methods
Pricing
Customers
Solutions
USE CASE
Account takeovers (ATO)
Go passwordless
Call center
SMS cost optimization
Existing apps
Palm biometric payments
View all use cases
industry
Financial services
Healthcare
Marketplace
View all use cases
ROLE
Engineering
ProductCybersecurityDocs
Compare
Twilio Verify vs AuthsignalAuth0 vs AuthsignalAWS Cognito vs Authsignal + AWS Cognito
Resources
LEARN
BlogGuidesRegulatoryTemplatesDocs
COMPANY
About usWhy AuthsignalPartnersCareersSecurityContact
Integrations
Amazon Cognito
Azure AD B2C
Duende IdentityServer
Keycloak
Auth0
NextAuth.js
Custom identity provider
All integrations
United States
+1 214 974-4877
Ireland
+353 12 676529
Australia
+61 387 715 810
New Zealand
+64 275 491 983
© 2026 Authsignal - All Rights Reserved
Terms of servicePrivacy policySecuritySystem statusCookies