Multi-factor Authentication in Auth0

What is multi-factor authentication?

Multi-factor Authentication (MFA) is a method of verifying a user's identity by requiring them to present more than one piece of identifying information. This method provides an additional layer of security, decreasing the likelihood of unauthorized access. The type of information required from the user is typically two or more of the following:

  • Knowledge: Something the user knows (such as a password)
  • Possession: Something the user has (such as a mobile device)
  • Inheritance: Something the user is (such as a fingerprint or retina scan)

Implement MFA with Auth0

Enabling MFA for your tenant is a fairly straightforward process. First, you toggle on the factors you choose to enable on your tenant, such as push notifications or SMS. Next, you perform any further setup required to configure that factor, and last, you choose whether you wish to force MFA for all users or not. See the instructions below for details.

You can also customize your MFA flow with Auth0 Rules, to allow MFA to only be required in specific circumstances or force a particular factor to be used.

1. Enable the factors you require

In the Dashboard > Multifactor Auth, head to the Multifactor Auth section. Here you will find a series of toggles for the MFA factors supported by Auth0.

MFA Dashboard Page

Any or all of these factors can be enabled simultaneously. When logging in the first time, the user will be shown the most secure factor available, but will be allowed to choose another factor to use if you have more than one factor enabled in the Dashboard. The SMS and the Duo factors require further setup. You will have to click on the factor and fill in a few further settings before continuing.

Duo will only be available to end-users as a factor if it is the only factor that is enabled.

Always require multi-factor authentication

MFA Dashboard Page

The Always require Multi-factor Authentication setting, when enabled, will force all your applications to prompt for MFA during the authentication flow. Users will be able to use any of the factors enabled in the Dashboard.

2. Set up your services

Auth0 supports the following factors for implementing MFA. You must enable at least one to use MFA, but you can choose to enable and make available more than one factor if you wish. Available factors are dependent on your subscription plan.

Customizing multi-factor authentication

Customizing MFA

These customizations do not apply to Duo, which has its own UI.

The Multi-factor Authentication pages can be customized by adjusting the Universal Login branding options in the Universal Login Settings section.

If you need further customization, you can also customize the full HTML content to reflect your organization's particular UX requirements.

Customizing via Rules

If you need to customize the multi-factor experience you are offering to your users, you may do so via custom rules configurations for multi-factor authentication. This might be needed, for example, if you wish to trigger MFA for only specific applications, or for specific users based on user metadata or on IP addresses.


Additionally, the MFA API is available for other customized MFA requirements.

Recovery methods

With most MFA factors, upon signup, the end user will be given a recovery code which should be noted and kept secret. They will enter this code, after their username and password, to login if they do not have their device or are temporarily unable to use their normal MFA.

MFA Recovery Code

If a recovery code is used, a new recovery code will be provided at that time.

If they have lost their recovery code and device, you will need to reset the user's MFA.

If a user uninstalls then later re-installs Guardian, they may be prompted to enter their recovery code. If the recovery code has been lost, the user can perform a new installation of the app by disabling automatic restoration of their Guardian backup. To do so, the user will need to uninstall Guardian, temporarily disable automatic restoration of backups within their device settings (steps to do so will vary according to the device), then re-install the app. They will then need to add their MFA account(s) to the app as if performing a first-time setup. If automatic backups or automatic restoration are not enabled on the user's device, re-installation of the app will not prompt for a recovery code and the user will be required to add their MFA account(s) as in a first-time setup.


See the MFA Troubleshooting Guide for help troubleshooting common end-user issues.