Multi-factor Authentication in Auth0
What is multi-factor authentication?
Multi-factor Authentication (MFA) is a method of verifying a user's identity by requiring them to present more than one piece of identifying information. This method provides an additional layer of security, decreasing the likelihood of unauthorized access. The type of information required from the user is typically two or more of the following:
- Knowledge: Something the user knows (such as a password)
- Possession: Something the user has (such as a mobile device)
- Inheritance: Something the user is (such as a fingerprint or retina scan)
Implement MFA with Auth0
Enabling MFA for your tenant is a fairly straightforward process. First, you toggle on the factors you choose to enable on your tenant, such as push notifications or SMS. Next, you perform any further setup required to configure that factor, and last, you choose whether you wish to force MFA for all users or not. See the instructions below for details.
1. Enable the factors you require
In the Dashboard > Multifactor Auth, head to the Multifactor Auth section. Here you will find a series of toggles for the MFA factors supported by Auth0.
Any or all of these factors can be enabled simultaneously. When logging in the first time, the user will be shown the most secure factor available, but will be allowed to choose another factor to use if you have more than one factor enabled in the Dashboard. The SMS and the Duo factors require further setup. You will have to click on the factor and fill in a few further settings before continuing.
Always require multi-factor authentication
The Always require Multi-factor Authentication setting, when enabled, will force all your applications to prompt for MFA during the authentication flow. Users will be able to use any of the factors enabled in the Dashboard.
2. Set up your services
Customizing multi-factor authentication
The Multi-factor Authentication pages can be customized by adjusting the Universal Login branding options in the Universal Login Settings section.
If you need further customization, you can also customize the full HTML content to reflect your organization's particular UX requirements.
Customizing via Rules
If you need to customize the multi-factor experience you are offering to your users, you may do so via custom rules configurations for multi-factor authentication. This might be needed, for example, if you wish to trigger MFA for only specific applications, or for specific users based on user metadata or on IP addresses.
Additionally, the MFA API is available for other customized MFA requirements.
With most MFA factors, upon signup, the end user will be given a recovery code which should be noted and kept secret. They will enter this code, after their username and password, to login if they do not have their device or are temporarily unable to use their normal MFA.
If they have lost their recovery code and device, you will need to reset the user's MFA.
If a user uninstalls then later re-installs Guardian, they may be prompted to enter their recovery code. If the recovery code has been lost, the user can perform a new installation of the app by disabling automatic restoration of their Guardian backup. To do so, the user will need to uninstall Guardian, temporarily disable automatic restoration of backups within their device settings (steps to do so will vary according to the device), then re-install the app. They will then need to add their MFA account(s) to the app as if performing a first-time setup. If automatic backups or automatic restoration are not enabled on the user's device, re-installation of the app will not prompt for a recovery code and the user will be required to add their MFA account(s) as in a first-time setup.
See the MFA Troubleshooting Guide for help troubleshooting common end-user issues.