This article explains why a newly registered user who enrolls in biometrics through a custom Auth0 Action is not prompted for biometric authentication on their first login after enrollment. The prompt is correctly triggered on the second and all subsequent logins.

• Auth0 Actions
• Multi-factor Authentication (MFA)
• WebAuthn

This behavior is expected and occurs due to the data handling model within the Auth0 Actions runtime. The root cause is related to how and when user profile data is read during a single login transaction.

When a login transaction begins, Auth0 Actions creates a static "snapshot" of the user's profile data at that moment and makes it available in the event.user object. For a newly registered user, the metadata indicating biometric enrollment does not exist in this initial snapshot.

During the Action's execution, the user successfully enrolls in biometrics, and their user profile is updated in the database to reflect this change. However, when the login flow continues to the Multi-factor Authentication (MFA) evaluation step within the same transaction, it references the original data snapshot. Since that snapshot does not contain the new enrollment information, the system concludes that the user is not enrolled in MFA for that specific login and skips the biometric prompt.

On the next login attempt, a new transaction starts, and a fresh snapshot of the user's profile is taken. This new snapshot includes the updated biometric enrollment status, causing the MFA prompt to be triggered as expected.

This behavior is a fundamental aspect of the Auth0 Actions runtime, designed to ensure data consistency throughout a single execution. Updates made to a user's profile, such as setting an app_metadata flag for biometric enrollment, are not available to subsequent processes within the same login transaction.

The correct biometric authentication prompt will appear on the user's next login session after the enrollment flow is complete. At that time, a new data snapshot will be created that accurately reflects the user's current MFA enrollment status. It is important to account for this data propagation model when designing user enrollment flows.