Multifactor Authentication (MFA)

Learn everything about Multifactor Authentication (MFA) and how you can start using it right now in your application.


What is Multifactor Authentication?

Multifactor Authentication (MFA) is a method of identifyng users by presenting two or more separate authentication stages. 2-Factor Authentication (2FA) is the most used type of MFA.

Typically, Multifactor Authentication requires a combination of something the user knows, something the user has, and sometimes something the user is.

  • Knowledge factors, such as passwords, PINs, or secret questions.
  • Possesion factors, such as an access card, phone, or hardware key.
  • Inherence factors, which are biometric information, such as the user’s fingerprint, face, or voice.

Why is Multifactor necessary?

Multifactor Authentication is important to provide enhanced security to your critical systems. This will prevent attackers that only have one of these factors gaining access to your accounts, for example if your password is stolen, you will have another layer of protection.

The MFA extra layers could be triggered on abnormal or specific situations, such as login from a different device, location, or time frame.

Multifactor Options

Some of the most used multifactor options are:

  • Time-based One-Time Password (TOTP): It generates a one-time password using a shared secret key and the current time. These passwords are short-lived (between 30 to 60 seconds), and require that the server and device clocks to be synchronized. For example, Google Authenticator.
  • SMS verification: This method uses one thing that the user always carries with himself, his mobile phone. Therefore, when the user attempt to log in, an SMS will be sent to the registered phone number with a one-time code that will be used to validate his identity. One example of this, is Duo.
  • Hardware token: These are small devices that may be connected (such as USB dongles), or disconnected (devices with a built-in screen). They hold the same secret shared key as the server, and use it to generate the password. For example, Yubikey.

Easy to implement with Auth0

Using Auth0 you can have MFA implemented in minutes! You can use the out-of-the-box providers or easily integrateany different provider using Auth0’s extensibility. To quickly implement MFA perform the following steps:

  1. In Auth0’s management dashboard, click the Multifactor Auth option.
  2. Flip the Enable Multifactor Auth switch to enable the feature.
  3. Select one of the built-in providers (Google Authenticator, Duo, or others) or plug your own writing a few lines of code in the extensible Auth0 platform.Enabling MFA
  4. Customize the provider. Just replace the placeholder with your CLIENT ID and you are good to go!Customizing your MFA Provider

But the possibilities don’t end there, you can even create your own rules on when MFA will be triggered.

Adaptive Context-aware Multifactor

Adaptative Context-aware Multifactor allows you to enforce MFA or additional layers of authentication based on different conditions such as: geographic location, time of day/week, type of network, custom domains or certain IPs, or any arbitrary condition that can be expressed in code on the Auth0 platform.

By default multifactor is requested only once per month, but you can enforce it to be requested every time the user logs on, or even define your own rules to trigger MFA.

You can define rules such as when accessing mission-critical applications from outside of your company’s intranet, when accessing from a different device, or from a new location.
Context aware

Custom MFA Providers

If you are using a different MFA provider or want to build your own, you can use the redirect protocol in Auth0.

To use a custom MFA provider, you can interrupt the authentication transaction and redirect the user to an arbitrary URL where an additional authentication factor can happen. After this completes (successfully or not), the transaction can then resume in Auth0 for further processing. The following code shows how simple is to do that.

function(user, context, callback) {
    if (condition() && context.protocol !== 'redirect') {
        context.redirect = {
            url: 'https://your_custom_mfa'
    if (context.protocol === 'redirect') {
        //TODO: handle the result of the MFA step
    callback(null, user, context);

Compliance with Standards

We’re HIPAA and SOC2 compliant, which assures you that we comply with all best practices of identity management. Additionally, if you require an extra layer of security you can turn on advanced policies like multifactor authentication, password policies, brute force protection and much more with just one click!

Sign up for free

Start building today and secure your apps with the Auth0 identity platform today.

3D login box