Multi-factor Authentication in Auth0

What is multi-factor authentication?

Multi-factor Authentication (MFA) is a method of verifying a user's identity by requiring them to present more than one piece of identifying information. This method provides an additional layer of security, decreasing the likelihood of unauthorized access. The type of information required from the user is typically two or more of the following:

  • Knowledge: Something the user knows (such as a password)
  • Possession: Something the user has (such as a mobile device)
  • Inheritance: Something the user is (such as a fingerprint or retina scan)

Implement MFA with Auth0

Enabling MFA for your tenant is a fairly straightforward process. First, you toggle on the factors you choose to enable on your tenant, such as push notifications or SMS. Next, you perform any further setup required to configure that factor, and last, you choose whether you wish to force MFA for all users or not. See the instructions below for details.

You can also customize your MFA flow with Auth0 Rules, to allow MFA to only be required in specific circumstances or force a particular factor to be used.

1. Enable the factors you require

In the Dashboard > Multifactor Auth, head to the Multifactor Auth section. Here you will find a series of toggles for the MFA factors supported by Auth0.

MFA Dashboard Page

Any or all of these factors can be enabled simultaneously. When logging in the first time, the user will be shown the most secure factor available, but will be allowed to choose another factor to use if you have more than one factor enabled in the Dashboard.

When you enable the SMS or the Duo factor, you will have to click on it and fill in a few further settings related specifically to that factor before continuing.

Always require multi-factor authentication

MFA Dashboard Page

The Always require Multi-factor Authentication setting, when enabled, will force all your applications to prompt for MFA during the authentication flow. Users will be able to use any of the factors enabled in the Dashboard.

2. Set up your services

Auth0 supports the following factors for implementing MFA. You must enable at least one to use MFA, but you can choose to enable and make available more than one factor if you wish.

Customizing multi-factor authentication

Customizing MFA

These customizations do not apply to Duo, which has its own UI.

The hosted page for MFA can also be customized. You may change the logo and the name that is displayed to your users. To do so, make the appropriate changes to the Guardian page's settings on the General tab in Dashboard > Tenant Settings. You can also reach the Tenant Settings page by clicking on your tenant name on the top right of the page and then selecting Settings from the dropdown menu.

  • Friendly Name: the name of the app that you want displayed to users
  • Logo URL: the URL that points to the logo image you want displayed to users

Additionally, you can customize the MFA hosted page as well.

Customizing via Rules

If you need to customize the multi-factor experience you are offering to your users, you may do so via custom rules configurations for multi-factor authentication. This might be needed, for example, if you wish to trigger MFA for only specific applications, or for specific users based on user metadata or on IP addresses.

MFA API

Additionally, the MFA API is available for other customized MFA requirements.

Recovery methods

With most MFA factors, upon signup, the end user will be given a recovery code which should be noted, and kept secret. They will need this code to login if they do not have their device or are temporarily unable to use their normal MFA. If they have lost their recovery code and device, you will need to reset the user's MFA.

MFA Recovery Code

If a recovery code is used, a new recovery code will be provided at that time.