Multi-factor Authentication in Auth0
What is multi-factor authentication?
Multi-factor Authentication (MFA) is a method of verifying a user's identity by requiring them to present more than one piece of identifying information. This method provides an additional layer of security, decreasing the likelihood of unauthorized access. The type of information required from the user is typically two or more of the following:
- Knowledge: Something the user knows (such as a password)
- Possession: Something the user has (such as a mobile device)
- Inheritance: Something the user is (such as a fingerprint or retina scan)
Implement MFA with Auth0
Enabling MFA for your tenant is a fairly straightforward process. First, you toggle on the factors you choose to enable on your tenant, such as push notifications or SMS. Next, you perform any further setup required to configure that factor, and last, you choose whether you wish to force MFA for all users or not. See the instructions below for details.
1. Enable the factors you require
In the Dashboard > Multifactor Auth, head to the Multifactor Auth section. Here you will find a series of toggles for the MFA factors supported by Auth0.
Any or all of these factors can be enabled simultaneously. When logging in the first time, the user will be shown the most secure factor available, but will be allowed to choose another factor to use if you have more than one factor enabled in the Dashboard. The SMS and the Duo factors require further setup. You will have to click on the factor and fill in a few further settings before continuing.
Always require multi-factor authentication
The Always require Multi-factor Authentication setting, when enabled, will force all your applications to prompt for MFA during the authentication flow. Users will be able to use any of the factors enabled in the Dashboard.
2. Set up your services
Customizing multi-factor authentication
The hosted page for MFA can also be customized. You may change the logo and the name that is displayed to your users. To do so, make the appropriate changes to the Guardian page's settings on the General tab in Dashboard > Tenant Settings. You can also reach the Tenant Settings page by clicking on your tenant name on the top right of the page and then selecting Settings from the dropdown menu.
- Friendly Name: the name of the app that you want displayed to users
- Logo URL: the URL that points to the logo image you want displayed to users
Additionally, you can customize the MFA hosted page as well.
Customizing via Rules
If you need to customize the multi-factor experience you are offering to your users, you may do so via custom rules configurations for multi-factor authentication. This might be needed, for example, if you wish to trigger MFA for only specific applications, or for specific users based on user metadata or on IP addresses.
Additionally, the MFA API is available for other customized MFA requirements.
With most MFA factors, upon signup, the end user will be given a recovery code which should be noted and kept secret. They will enter this code, after their username and password, to login if they do not have their device or are temporarily unable to use their normal MFA.
If they have lost their recovery code and device, you will need to reset the user's MFA.
See the MFA Troubleshooting Guide for help troubleshooting common end-user issues.