Auth0 supports a number of different options when it comes to enabling multi-factor authentication (MFA) for protecting user account access.
On the Dashboard > Security > Multifactor Auth page, you can select the factors to use for MFA for your tenant.
Auth0 supports the following factors for implementing MFA. You must enable at least one to use MFA, but you can choose to enable and make available more than one factor if you wish. Available factors are dependent on your subscription plan.
Send users push notifications to their pre-registered devices, typically a mobile phone or tablet, from which a user can immediately allow or deny account access via the simple press of a button. Push factor is offered with the Guardian mobile app, available for both iOS and Android. If you don’t want your customers to have to download a separate application, Auth0 also provides an SDK for building a second-factor workflow in your existing mobile device app.
Send users a one-time code over SMS which the user is then prompted to enter before they can finish authenticating.
Deliver users a one-time code through a voice call which the user is then prompted to enter before they can finish authenticating.
One-Time Password (OTP) allows you to use an authenticator application in your personal device, such as Google Authenticator, that will generate a one-time password that changes over time and which can be entered as the second factor to validate a user’s account.
WebAuthn with Security Keys
Enable users to perform MFA using one-time passwords delivered through email when they don't have other authentication factors available.
Cisco Duo security
Cisco Duo is a multi-faceted provider and can only be used if it's the only factor available for the user. Use your Duo account to manage MFA with Auth0.
Policies determine when a user will be prompted to complete additional steps to prove they own a particular account. Use policies to define your own level of acceptable risk. You can choose between Never and Always.
You can achieve more refined multifactor configurations (such as per application, per user, etc.) by using rules.
See Authentication policy definitions for details.
MFA use cases
There are different ways to manage MFA depending on your environment:
B2B: Your customers manage MFA factors for their users.
B2C: End users manage their own MFA factors via an My MFA Settings page.
B2E: You manage MFA factors for your users.
To learn about the API endpoints that you can use to build a user interface to manage MFA factors, see Manage Authenticator Factors Using the MFA API.
Applications that allow access to different types of resources can require users to authenticate with a stronger authentication mechanism to access sensitive resources. See Step-Up Authentication for details.
You can configure a rule in Auth0 Dashboard > Rules to define the conditions that will trigger additional authentication challenges. Use rules to force MFA for users of certain applications, or for users with particular user metadata or IP ranges, among other triggers.
Add contextual MFA which allows you to define arbitrary conditions that will trigger additional authentication challenges to your customers for increased security, for example, geographic location (geofencing), address or type of network used (IP filtering), time of day, day of the week or change in the location or device being used to log in.