Auth0 multi-factor authentication (MFA) is available as five factors:
One-time password (OTP)
Auth0 Guardian is a mobile app that can deliver push notifications to a user’s pre-registered device - typically a mobile phone or tablet - from which a user can immediately allow or deny account access via the press of a button. It can also generate one-time passwords if that factor is preferred. Instead of integrating with each vendor-specific push notification service, Auth0 push notification is implemented using AWS Simple Notification Service (SNS) which handles the vendor-specific integration.
The push factor is offered with the Guardian mobile app, available for both iOS and Android. In addition, the technology is also available as Guardian SDK which can be used in custom mobile applications to act as a second-factor push responder.
Guardian and push notifications
When enabling push, end-users will need to have Auth0 Guardian or a custom application built with the Guardian SDK installed in their device. The app is sent push notifications when the user attempts to authenticate, and the user must respond to it in order to log in, ensuring that they not only know their login information but also possess the device set up for MFA.
End users will be prompted to download Auth0 Guardian when trying to sign up or log in to your application. Once they indicate that they have successfully downloaded the app, a QR code will appear on the screen. They will have a short amount of time in which to scan the code with the designated app. Once this is done, they should see a confirmation screen.
Once this is all set up, when the user attempts to authenticate as normal, their device will receive a push notification via the app, and once they approve the request, they will be logged in.
Guardian and one-time passwords
Upon signup, they can scan a code and set up the app, upon which it will begin generating one-time codes. Afterward, when logging in to the app, the user can simply check the authenticator app for the current one-time code:
And enter the code at the prompt:
Your users will need to have an OTP Authenticator app installed on their mobile devices.
You can install the Guardian SDK, available for iOS and Android to build your own multi-factor authentication application with complete control over the branding and look-and-feel. With the Guardian SDK, you can build your own custom mobile applications that work like Guardian or integrate some Guardian functionalities, such as receiving push notifications in your existing mobile applications. A typical scenario could be for a banking app. You can use the Guardian SDK in your existing mobile app to receive and confirm push notifications when someone performs an ATM transaction. See auth0-guardian.js for more information.
Migrate to Firebase Cloud Messaging
Auth0’s Guardian SDKs for iOS and Android help you create custom mobile apps with Guardian functionality, providing secure access to multi-factor authentication (MFA) with push notifications.
The Android SDK library was built to send push notifications using Google Cloud Messaging, which Google deprecated and replaced with Firebase Cloud Messaging (FCM). Google Cloud Messaging (GCM) stopped working on 11 April 2019. Learn more about how to migrate from GCM to FCM by following Google’s documentation. The main difference between sending notifications to GCM and to FCM is the payload received in the notification. While it was previously possible for customers using the Android SDK to adapt the payload received before calling the SDK method, we have upgraded the library to accept the new payload, making it simpler to adopt FCM.
The Guardian Android SDK 0.4.0 version is available in Maven Central and includes this change. The sample application was also upgraded, so it can be tested by providing the google-services.json file and a guardian-url.