Multifactor Authentication in Auth0

Multifactor Authentication (MFA) is a method of verifying a user's identity by requiring them to present more than one piece of identifying information. This method provides an additional layer of security, decreasing the likelihood of unauthorized access. The type of information required from the user is typically two or more of the following:

  • Knowledge: Something the user knows (e.g. a password)
  • Possession: Something the user has (e.g. a cell phone)
  • Inheritance: Something the user is (e.g. a fingerprint or retina scan)

Implementing MFA with Auth0

Auth0 supports the following methods of implementing MFA:

  1. Push Notifications (Auth0 Guardian) - Auth0's mobile application Guardian sends push notifications for MFA
  2. SMS - Verification by sending a six-digit code via SMS
  3. Support for one-time password authentication services Google Authenticator and Duo Security.
  4. Configuring rules for custom processes - such as Contextual MFA, which allows you to define the conditions that will trigger additional authentication challenges, such as changes in geographic location or logins from unrecognized devices.
  5. Using a custom provider, such as Yubikey.

MFA using Push Notifications (Auth0 Guardian)

Guardian Push Screenshot

Guardian is Auth0's MFA application. It is a frictionless approach to implementing MFA for your apps, and provides a full MFA experience without requiring integration with third-party utilities.

Click here to learn more about enabling push notifications with Guardian

MFA with SMS

MFA SMS Screenshot

Auth0 supports sending an SMS with a one-time password code to be used for another step of verification.

Click here to learn more about enabling SMS

MFA Using Google Authenticator

Screenshot of Google Authenticator

Google Authenticator is a mobile app that generates 2-step verification codes. This creates a one-time use password that is used as the second factor after your user has attempted to log in with their Google credentials.

Click here to learn more about enabling Google Authenticator

MFA Using Duo Security

DUO Screenshot

Duo Security allows you to request either of the following as your second factor once the user has provided their initial login credentials:

  • A user response to a push notification sent to the appropriate device
  • A passcode provided to the user via SMS

Click here to learn more about enabling Duo

MFA Using Custom Rules

You may configure rules for custom MFA processes, which allow you to define the conditions that will trigger additional authentication challenges, such as changes in geographic location or logins from unrecognized devices.

Click here for sample code snippets to assist you in building your rules here.

MFA Using a Custom Provider

For a detailed look at implementing a custom MFA provider, see Multifactor Authentication with YubiKey-NEO as an introduction.