Configure Vonage as MFA SMS Provider

You can send multi-factor authentication (MFA) text messages using the Vonage (previously Nexmo) SMS API. Vonage provides an SMS API that can be used by Auth0 to deliver multi-factor verification via text messages. To learn more, see Vonage's SMS API Overview.

The following steps will add text-message-based MFA to the login flow for the tenant in which you're working. We highly recommend testing this setup on a staging or development server before making the changes to your production login flow.

To configure a custom SMS provider for MFA using Vonage, you will:

  1. Create a Send Phone Message hook

    1. Configure hook secrets

    2. Include the nexmo module

    3. Add the Vonage API Call

    4. Test your hook implementation

  2. Activate the custom SMS factor

  3. Test the MFA flow

Optional: Troubleshoot

Prerequisites

Create Send Phone Message hook

Create a Send Phone Message hook in the Auth0 Dashboard that will contain the code and secrets of your custom implementation. You can only have one Send Phone Message hook active at a time.

Configure hook secrets

Add the following hook secrets with the keys and corresponding values from the Getting Started Guide in the Vonage dashboard:

  • VONAGE_API_KEY

  • VONAGE_API_SECRET

  • VONAGE_FROM_NUMBER

Include Nexmo module

The hook uses the Nexmo Client Library for Node.js module, so you need to include this package in your hook.

  1. Click the Settings icon and select NPM Modules.

  2. Search for nexmo and add the module that appears.

    Add Vonage Nexmo Client Library to Hook for MFA SMS

Add Vonage API call

To make the call to the Vonage API, add the appropriate code to the Hook. Copy the code block below and paste it into the Hooks code editor. This function will run each time a user requires MFA, calling the Vonage API to send a verification code via SMS.

module.exports = function(toNumber, text, context, cb) {
  const Nexmo = require('nexmo');
  const nexmo = new Nexmo({
    apiKey: context.webtask.secrets.VONAGE_API_KEY,
    apiSecret: context.webtask.secrets.VONAGE_API_SECRET,
  });

  const fromNumber = context.webtask.secrets.VONAGE_FROM_NUMBER;
  toNumber = toNumber.replace(/\D/g, '');

  nexmo.message.sendSms(fromNumber, toNumber, text, (err, responseData) => {
    if (err) {
      return cb(err);
    }

    const firstMsg = responseData.messages[0];
    if (firstMsg['status'] !== '0') {
      return cb(new Error('Message failed: ' + firstMsg['error-text']));
    }

    return cb(null, {});
  });
};

Test hook implementation

Click the Runner button to try the completed Hook. Make sure to change the recipient value in the body to your test number from the Vonage API. You should receive a test text message, and the webtask should complete successfully.

Configure Vonage as MFA SMS Provider Test Hook

Activate custom SMS factor

To use the SMS factor, your tenant needs to have MFA enabled globally or required for specific contexts using rules. To learn how to enable the MFA feature, see:

The hook is now ready to send MFA codes. The last steps are to configure the SMS Factor to use the custom code and test the MFA flow.

  1. Go to Dashboard > Multifactor Auth and click the SMS factor box.

  2. In the modal that appears, select Custom for the SMS Delivery Provider, then make any adjustments you'd like to the templates. Click Save when complete, and close the modal.

  3. Enable the SMS factor using the toggle switch.

Test MFA flow

Trigger an MFA flow and verify that everything works as intended.

Configure Vonage as MFA SMS Provider Test MFA Flow

Troubleshoot

If something was misconfigured in Vonage, the hook, or the SMS Factor, you may see an error message on the login form when trying this factor out for the first time.

Configure Vonage as MFA SMS Provider SMS Error Message

If you do not receive the text message, look at the hook logs. Look for a failed SMS log entry. To learn which event types to search, see the Log Event Type Code list, or you can use the Filter control to find MFA errors.

MFA SMS Provider Auth0 Log Errors

Once you find a log entry of interest, scroll down in the Raw tab to see an error message explaining what went wrong:

Configure Vonage as MFA SMS Provider SMS Error Details

If this does not solve your issue, the next step would be to check the Vonage SMS API logs for a sent message and check its status. If there is no record of the message with Vonage, then the API call likely failed and the problem is in the hook code.

Learn more