Multi-Factor Authentication Factors
Auth0 supports a number of different options or factors for protecting user account access with multi-factor authentication (MFA).
To select the MFA factors to use on your tenant, go to Dashboard > Security > Multi-factor Auth. You must enable at least one factor on your tenant to use MFA. Available factors are dependent on your subscription plan. To learn more, read Auth0 Pricing.
Auth0 supports the following factors for implementing MFA.
Send users push notifications to their pre-registered devices, typically a mobile phone or tablet, from which a user can immediately allow or deny account access via the simple press of a button. Push factor is offered with the Auth0 Guardian mobile app, available for both iOS and Android. To learn more, read Auth0 Guardian.
If you don’t want your customers to have to download a separate application, Auth0 also provides a Guardian SDK for building a second-factor workflow in your existing mobile device app. To learn more, read Install Guardian SDK.
Send users a one-time code over SMS which the user is then prompted to enter before they can finish authenticating. To learn more, read Configure SMS and Voice Notifications for MFA.
Deliver a one-time code to users through voice call which the user is then prompted to enter before they can finish authenticating. To learn more, read Configure SMS and Voice Notifications for MFA.
One-time passwords allow you to use an authenticator application on the user's personal device, such as Google Authenticator, to generate a one-time password that changes over time and which can be entered as the second factor to validate an account. To learn more, read Configure OTP Notifications for MFA.
WebAuthn with security keys
WebAuthn with device biometrics
Enable users to perform MFA using platform authenticators such as are MacBook’s TouchBar, Windows Hello, iOS Touch/FaceId, and Android’s fingerprint/face recognition. To learn more, read Configure WebAuthn with Device Biometrics for MFA.
Enable users to perform MFA using one-time passwords delivered through email when they don't have other authentication factors available. To learn more, read Configure Email Notifications for MFA.
Cisco Duo security
Cisco Duo is a multi-faceted provider and can only be used if it's the only factor available for the user. Use your Duo account to manage MFA with Auth0. To learn more, read Configure Cisco Duo Security for MFA.
Recovery codes are unique codes allowing users to regain account access if they cannot access the device or account used for MFA enrollment. To learn more, read Configure Recovery Codes for MFA
Policies determine when a user will be prompted to complete additional steps to prove they own a particular account. Use policies to define your own level of acceptable risk. You can choose between Never, Use Adaptive MFA, and Always.
You can achieve more refined multifactor configurations (such as per application, per user, etc.) by using Auth0 Rules. To learn more, read Auth0 Rules.
There are different ways to manage MFA depending on your environment:
B2B: Your customers manage MFA factors for their users.
B2C: End users manage their own MFA factors via an My MFA Settings page.
B2E: You manage MFA factors for your users.
To learn about the API endpoints that you can use to build a user interface to manage MFA factors, see Manage Authenticator Factors Using the MFA API.
Applications that allow access to different types of resources can require users to authenticate with a stronger authentication mechanism to access sensitive resources. See Step-Up Authentication for details.
To configure a rule, go to Dashboard > Auth0 Pipeline > Rules and define conditions to trigger authentication challenges. Use rules to force MFA for users of certain applications, or for users with particular user metadata or IP ranges, among other triggers.
Add contextual MFA which allows you to define arbitrary conditions that will trigger additional authentication challenges to your customers for increased security, for example, geographic location (geofencing), address or type of network used (IP filtering), time of day, day of the week or change in the location or device being used to log in.