Adaptive MFA
To use Adaptive MFA, you must have an Enterprise Plan with the Adaptive MFA addon. Refer to Auth0 Pricing for details.
Adaptive MFA is a flexible, extensible MFA policy that can help you protect your tenant from bad actors without increasing friction for real users. It assesses potential risk during every login transaction, and then prompts the user for additional verification if appropriate.
How it works
During a login transaction, Adaptive MFA calculates an overall confidence score based on analysis of three risk assessments:
| Assessor | Risk Signal | How it is computed |
|---|---|---|
NewDevice |
User attempts to sign in from a device that has not been used to access the account in the last 30 days. | User agent and browser cookies identify a device. At login time, the device information is compared to the list of devices for the account. |
ImpossibleTravel |
User attempts to sign in from a geolocation that indicates an impossible travel situation when compared to the last login. | The distance between the last valid location and the location of the attempted sign in is computed; the time difference between the sign in attempt is used to compute a hypothetical travel velocity. Velocity is compared to a reasonable travel velocity. |
UntrustedIP |
User attempts to sign in from an IP address known to be associated with suspicious behavior. | Auth0 uses intelligence from traffic events to determine the likelihood that the IP address has been used by bad actors to perpetrate high velocity attacks. |
| Overall Risk Score | A combination of all 3 factors above. | Auth0 uses all 3 scores to assign an overall score. Use Actions if you want to implement your own business logic. |
When Adaptive MFA determines the overall confidence score is low (that the login transaction is high-risk), it requires the user to verify their identity with MFA. If the user is not enrolled in MFA, they are required to complete additional verification before they are eligible to do so.
Adaptive MFA includes a comprehensive security flow that ensures the authenticity of users:
Adaptive MFA ignores any and all existing MFA sessions (for example, a user selected Remember this browser during a previous MFA flow), and does not allow users to bypass MFA challenges.
Customize Adaptive MFA
You can use Actions to customize the MFA flow and provide the best experience for your users. To learn more, read Customize Adaptive MFA.
Support and limitations
Authorization flows
Adaptive MFA is supported by all authentication and authorization flows that start with the end user. To learn more about the different flows and protocols, read Authentication and Authorization Flows and Protocols.
| Protocol | Flow | Supported |
|---|---|---|
| OIDC/OAuth2 | Authorization Code Flow | Supported |
| OIDC/OAuth2 | Authorization Code Flow with PKCE | Supported |
| OIDC/OAuth2 | Implicit Flow with Form Post | Supported |
| OIDC/OAuth2 | Hybrid Flow | Supported |
| OIDC/OAuth2 | Client Credentials | Not supported |
| OIDC/OAuth2 | Device Authorization | Not supported |
| OIDC/OAuth2 | Resource Owner Password (ROP) | Not supported |
| SAML | Service Provider-Initiated (SP-initiated) | Supported |
| SAML | Identity Provider-Initiated (IdP-initiated) | Not supported* |
| WS-Federation | N/A | Supported |
| AD/LDAP | N/A | Supported |
*Adaptive MFA is not supported for SAML IdP-initiated flows, but you can simulate the flow with OIDC applications. To learn more, read Configure IdP-Initiated SAML Sign-on to OIDC Apps.
Social connections
Adaptive MFA is fully supported for social connection types where an email address is available for each user.
Adaptive MFA requires an email address to complete the email challenge step that occurs when a user is not enrolled in MFA. If an email address is not available, Adaptive MFA cannot perform the email challenge and the transaction will be blocked. This scenario does not introduce a security risk, but it does limit the functionality of the feature.
If you’ve set up a social connection, and expect an email address to be available but it’s not, verify your configuration and confirm that the correct scopes, claims, and permissions are being requested. To learn more about supported social connections and how to install them, read Social Connections on Auth0 Marketplace.
Auth0 features
The following table lists Auth0 implementations and their functionality with Adaptive MFA:
| Login Flow Implementation | Adaptive MFA Support Level |
|---|---|
| Universal Login | Supported |
| Classic Login with no customization | Supported |
Classic Login (hosted by Auth0), custom login page with lock.js Lock template |
Supported |
Classic Login (hosted by Auth0), custom login page with auth0.js Custom Login Form template |
Supported |
Classic Login (hosted by Auth0), custom login page with email passwordless flow and lock.js Passwordless template |
Supported |
Classic Login (hosted by Auth0), custom login page with SMS passwordless flow and lock.js Passwordless template |
Not supported, because it does not make an email address available, which is a requirement. |
Web or native apps using Resource Owner Password Grant (ROPG) flow (including those using older versions of lock.android and lock.swift SDKs |
Supported, with the following limitations: • Works when all end users are already enrolled in MFA (when users are required to enroll on signup). Users who are not already enrolled will be blocked in risky scenarios. • Risk assessment to determine if a user is logging in from a new device will not work. The ROPG flow does not support the browser cookies needed to determine risk. • You must pass auth0-forwarded-for header with information from the originating IP address for risk assessments for IP reputation to work. |
| Native apps using newest version of SDKs that support embedded Universal Login | Supported |
| Native apps using newest version of SDKs and ROPG flow | Supported with the following limitations: • Works when all end users are already enrolled in MFA (when users are required to enroll on signup). Users who are not already enrolled will be blocked in risky scenarios. • Risk assessment to determine if a user is logging in from a new device will not work. The ROPG flow does not support the browser cookies needed to determine risk. • You must pass auth0-forwarded-for header with information from the originating IP address for risk assessments for IP reputation to work. |
Flows hosted by you (not Auth0) using lock.js or auth0.js that perform cross-origin authentication (co/authenticate endpoint) |
Supported |