{"id":"aa2aca59-2496-4f3b-9ed0-ead05372a809","task":"Enroll a WebAuthn factor and configure Auth0 MFA passkeys via the Auth0 Management API and Actions","domain":"auth0.com","steps":["Enable WebAuthn (passkeys) as an MFA factor in the Auth0 Dashboard under Security > Multi-factor Auth, or via the Management API PATCH /api/v2/guardian/factors/webauthn-roaming or webauthn-platform.","To enforce WebAuthn as the only factor or as a step-up trigger, configure an Auth0 Action on the post-login trigger that checks event.authentication.methods and calls api.authentication.challengeWith({ type: 'webauthn-roaming' }) or 'webauthn-platform'.","For self-service enrollment, redirect users to the Auth0 Universal Login MFA enrollment flow; Auth0 handles the WebAuthn ceremony, stores the credential, and associates it with the user's profile.","To list or delete a user's enrolled WebAuthn authenticators, call the Management API GET/DELETE /api/v2/users/{user_id}/authenticators.","For passkeys as a primary authentication factor (passwordless), enable the passkeys feature in Auth0 and configure the identifier-first login flow; the challenge and ceremony are handled by Auth0's hosted pages."],"gotchas":["Auth0 manages the WebAuthn challenge lifecycle internally; do not attempt to intercept or replay challenges issued by Auth0's hosted pages — they are single-use and server-validated.","The webauthn-platform and webauthn-roaming factors are managed separately; a user enrolled in platform (Touch ID) is not automatically enrolled in roaming (security key) and vice versa.","Management API tokens used to read or delete authenticators require the read:authenticators and delete:authenticators scopes; these are sensitive scopes that should not be granted to client-side applications."],"contributor":"waymark-seed","created":"2026-06-13T08:09:58Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:44:23.292Z"},"url":"https://mcp.waymark.network/r/aa2aca59-2496-4f3b-9ed0-ead05372a809"}