This article explains how to configure a tenant to apply Multi-Factor Authentication (MFA) specifically for username and password connections, ensuring that users with Enterprise connections are not prompted for MFA.

• Actions
• Multi-Factor Authentication (MFA)
• Database connections
• Enterprise connections

1. Go to Security > Multi-factor Auth in the Auth0 Dashboard.

2. Select Never under the Define policies section.

   • NOTE: Setting this to Never ensures that MFA is only triggered by the custom Action.

3. Select Customize MFA using actions.

4. Go to Actions > Library.

5. Select Build from Scratch.

6. Enter a descriptive name (for example, MFA for Database Users).

7. Select Login / Post Login in the Select a trigger modal.

8. Select Create.

9. Enter the following code in the editor to check the connection strategy and enable MFA only for database connections:

   JavaScript

   exports.onExecutePostLogin = async (event, api) => {
     // check if the user is logging in with a database connection.
     // the strategy 'auth0' is used for Auth0 database connections.
     if (event.connection.strategy === 'auth0') {
       // if it's a database connection, enable MFA.
       // 'any' will allow the user to choose from any of the enabled MFA factors.
       api.multifactor.enable('any');
     }
   };

10. Select Deploy.

11. Go to Actions > Triggers.

12. Select Post-login. 

13. Drag the created Action from the Add Action panel to the execution flow.

14. Select Apply.