Multifactor Authentication in Auth0
Multifactor Authentication (MFA) is a method of verifying a user's identity by requiring them to present more than one piece of identifying information. This method provides an additional layer of security, decreasing the likelihood of unauthorized access. The type of information required from the user is typically two or more of the following:
- Knowledge: Something the user knows (e.g. a password)
- Possession: Something the user has (e.g. a cell phone)
- Inheritance: Something the user is (e.g. a fingerprint or retina scan)
Implementing MFA with Auth0
Auth0 supports the following methods of implementing MFA:
- Push Notifications (Auth0 Guardian) - Auth0's mobile application Guardian sends push notifications for MFA
- SMS (Auth0 Guardian) - Verification by sending a six-digit code via SMS
- Support for one-time password authentication services Google Authenticator and Duo Security.
- Configuring rules for custom processes - such as Contextual MFA, which allows you to define the conditions that will trigger additional authentication challenges, such as changes in geographic location or logins from unrecognized devices.
- Using a custom provider, such as Yubikey.
MFA using Push Notifications (Auth0 Guardian)
Guardian is Auth0's MFA application. It is a frictionless approach to implementing MFA for your apps, and provides a full MFA experience without requiring integration with third-party utilities.
MFA with SMS
Auth0 supports sending an SMS with a one-time password code to be used for another step of verification.
MFA Using Google Authenticator
Google Authenticator is a mobile app that generates 2-step verification codes. This creates a one-time use password that is used as the second factor after your user has attempted to log in with their Google credentials.
MFA Using Duo Security
Duo Security allows you to request either of the following as your second factor once the user has provided their initial login credentials:
- A user response to a push notification sent to the appropriate device
- A passcode provided to the user via SMS
MFA Using Custom Rules
You may configure rules for custom MFA processes, which allow you to define the conditions that will trigger additional authentication challenges, such as changes in geographic location or logins from unrecognized devices.
Click here for sample code snippets to assist you in building your rules here.
MFA Using a Custom Provider
For a detailed look at implementing a custom MFA provider, see Multifactor Authentication with YubiKey-NEO as an introduction.
For details on how to implement user-initiated MFA, so you can flag users for MFA as part of the user creation/login process, refer to User-Initiated Multifactor Authentication.