Manage Dashboard Access with Multi-factor Authentication

Multi-factor authentication (MFA) provides an additional level of security to your Auth0 account. Once enabled, in addition to supplying your login credentials you will be prompted for an additional piece of identifying information. This ensures that only valid users can access their accounts even if they use a username and password that may have been compromised.

An administrator can self-enroll for MFA in their Account Settings. The MFA indicator in the Auth0 Dashboard > Settings > Tenant Members list identifies whether an administrator has enabled their account for MFA.

Auth0 supports the following factors for enabling MFA for Dashboard users:

  • Push notification via Guardian: Sends push notifications to a user's pre-registered device, typically a mobile phone or tablet. The user can immediately allow or deny account access with a button press. The push factor is available with the Guardian mobile app for iOS and Android.

  • One-time passwords (OTP): Allows a user to use an authenticator app on their personal device, such as Google Authenticator, to generate an OTP that will change over time and can be entered as a second factor to validate the account.

  • SMS notification: Sends a one-time code over SMS that the user is then prompted to enter before they can complete authentication.

Admins must enable at least one factor to use MFA. Auth0 highly recommends setting up multiple factors so you can still access your account if you lose your primary device. An ideal setup is Guardian or OTP as the primary method, one or more SMS numbers as a backup, and a recovery code as well. If you can't provide your MFA token and you don’t have proper backup methods, your account may be irrecoverable.

Add MFA

  1. To self-enroll for MFA, the user should click on their username in the top right and go to Account Settings to view the user profile in the dropdown menu.

  2. Click Enroll your device now.

  3. Follow the on-screen instructions to complete the enrollment.

    Dashboard - Profile - Multi-Factor - Authentication

Recovery codes

Immediately after successfully enabling two-factor authentication, the user will be prompted to copy a recovery code. Should the user lose access to all their enrolled factors, they can use this recovery code to log in to their account. We suggest copying and printing recovery codes or storing them in a safe place, such as a password manager. 

If the user loses the recovery codes or just wants to generate new ones, they can do so from their profile page.

Remove or change MFA

Users can remove or change factors if they are lost.

  1. If a user is changing devices and will no longer have the old device, remove it by verifying MFA with that device.

  2. The user will be prompted for it, and then it will be removed.

    1. If the user no longer has access to the device, they can use a recovery code to do this process with the same results. Then, they can add a new device.

    2. If the user no longer has access to the device or a recovery code, another admin must file an Auth0 support ticket on their behalf so Auth0 can verify the request and proceed with an MFA reset. This only applies to Dashboard Admin accounts. Auth0 will not process end-user account MFA resets, as we do not have control over your tenants.

Log in to Dashboard with MFA enabled

Logging in with MFA enabled is only slightly different than a normal login. When you enter admin account credentials, a second prompt appears, depending on which type of MFA factors you’ve enabled. 

If a user loses access to a primary factor, they can choose to Select Another Method and try with any of the other factors, including recovery codes. Hence the importance of enrolling in multiple methods to prevent being locked out of your account.

Learn more