This article explains why users are challenged for Multi-Factor Authentication (MFA) twice during the Native to Web SSO flow. This occurs even if the user successfully completes MFA during the initial login.

• Native to Web SSO
• MFA

This issue occurs when a Post-Login Action is configured to ensure MFA is prompted only once per session. This configuration relies on the mf_auth0 cookie, which is not present during the Native to Web SSO flow. Consequently, the system prompts the user for MFA during both the Native login and the Web SSO login.

To resolve this issue, use a Session Transfer Token by checking the event.session_transfer_token property in a Post-Login Action. This property will only be present if the login is using the Native To Web SSO flow. If this property exists, MFA can be skipped by using api.multifactor.enable('none').

Refer to the following example code:

exports.onExecutePostLogin = async (event, api) => {
  // Check if the login is part of a Native to Web SSO flow by looking for the session_transfer_token.
  if (event.session_transfer_token) {
    // If it is, disable MFA for this specific login transaction.
    api.multifactor.enable('none');
  }
};