To enable MFA, you toggle on the factors (such as push notifications or SMS) you choose to enable in the Dashboard on your tenant. Next, you perform any further setup required to configure that factor, and last, you choose whether you wish to force MFA for all users or not.
You can also customize your MFA flow with Auth0 rules to only require MFA in specific circumstances or force a particular factor to be used.
To enable the factors you require, go to Dashboard > Security > Multi-factor Auth. Here you will find a series of toggles for the MFA factors supported by Auth0.
Any or all of these factors can be enabled simultaneously. When logging in the first time, the user will be shown the most secure factor available but will be allowed to choose another factor to use if you have more than one factor enabled in the Dashboard. The SMS and Duo factors require further setup. You will have to click on the factor and fill in a few further settings before continuing.
Always: MFA is always triggered for all logins. Users will be able to use any of the factors enabled in the Dashboard.
Never: MFA is not triggered for any logins.
Require for high-risk logins: MFA is triggered based on Auth0 risk determination. See Enable Adaptive MFA for details.
Configure your factors.