Associate a New Authenticator for Use with Multifactor Authentication

This article includes documentation on features that are still under development. These features are available to customers with early access.

Auth0 allows you to configure your tenant so that your end users can self-associate a new authenticator for use in multifactor authentication.

In this tutorial, you'll learn how to configure self-association of a new authenticator for use in multifactor authentication. Configuring Auth0 for such process requires the following steps:

  1. Obtaining an MFA token
  2. Requesting authenticator association
  3. Using the authenticator to confirm association


Let's say that you have enabled multifactor authentication for your tenant, and you are capable of supporting more than one type of authenticator. You can then configure your authorization process so that users who log in and do not have at least one active authenticator (other than a recovery code) can self-associate a new authenticator.


For these tutorials, we will be using the Resource Owner Password Grant.

Before you begin the process of configuring self-association of authenticators, you'll need to:

  1. Configure Your Tenant (including setting the Default Audience and/or Default Directory)
  2. Register Your API
  3. Set the grant type property of the Non Interactive Client created with your API
  4. Create Your Connection

Associate Authenticators

When logging in, your users can self-associate the following types of authenticators:

Manage Authenticators

You can use list the authenticators you've associated with your tenant or delete individual authenticators as necessary.

MFA Challenges

You can manually trigger MFA challenges for associated authenticators.

Was this article helpful?