Multi-Factor Authentication for Dashboard Users
Multi-factor authentication (MFA) adds an additional level of security to an Auth0 account. When users with MFA enabled log into the Auth0 Dashboard, Auth0 prompts for their credentials plus an additional piece of identifying information. This ensures that only valid users can access their accounts, even if a bad actor has compromised a username and password.
Any Dashboard user can self-enroll in MFA in Your Profile. The MFA indicator in the Auth0 Dashboard > Settings > Tenant Members list identifies whether a user has enabled MFA for their account.
Auth0 supports these authentication factors for Dashboard users:
WebAuthn with FIDO security keys: WebAuthn roaming authenticators are removable and cross-platform, like a Yubikey, and can be used on multiple devices. To authenticate with a roaming authenticator, users must connect the authenticator to their device (through USB, NFC, or Bluetooth) and provide proof of presence (by touching it, for example).
WebAuthn with device biometrics: WebAuthn platform authenticators are attached to a device and work on that device only. Examples are the MacBook Touch Bar, Windows Hello, iOS Touch ID or Face ID, and Android fingerprint or face recognition. Because they work on the attached device only, a user must have at least one other factor enrolled in their profile before enrolling device biometrics.
Push notification via Guardian: Sends push notifications to a user's pre-registered device, typically a mobile phone or tablet. The user can immediately allow or deny account access with a button press. The push factor is available with the Guardian mobile app for iOS and Android.
One-time passwords (OTP): Allows a user to use an authenticator app (such as Google Authenticator) on their personal device. The app generates an OTP that changes over time and can be entered as a second factor to validate the account.
SMS notification: Sends a one-time code over SMS. Auth0 then prompts the user to enter this code before they can complete authentication. SMS as an MFA is available only on tenants attached to a subscription plan.
To learn how to enroll in Dashboard MFA, read Add Multi-Factor Authentication for Auth0 Dashboard Access.
Auth0 recommends WebAuthn factors as the most secure and usable authentication methods. To learn more, read FIDO Authentication with WebAuthn.
Admins must enable at least one factor to use MFA. Auth0 highly recommends setting up multiple factors so you can still access your account if you lose your primary device.
An ideal setup is to use three factors:
WebAuthn, Guardian, or OTP as the primary method.
One or more SMS numbers as a backup (available only on tenants attached to a subscription plan).
A recovery code.
If you can't provide your MFA token and you don’t have proper backup methods, your account may be irrecoverable.