Factors
Auth0 supports the following factors for implementing MFA.Push notifications
Send users push notifications to their pre-registered devices, typically a mobile phone or tablet, from which a user can immediately allow or deny account access via the simple press of a button. Push factor is offered with the Auth0 Guardian mobile app, available for both iOS and Android. To learn more, read Auth0 Guardian. If you don’t want your customers to have to download a separate application, Auth0 also provides a Guardian SDK for building a second-factor workflow in your existing mobile device app. To learn more, read Install Guardian SDK.SMS notifications
Send users a one-time code over SMS which the user is then prompted to enter before they can finish authenticating. To learn more, read Configure SMS and Voice Notifications for MFA.Voice notifications
Deliver a one-time code to users through voice call which the user is then prompted to enter before they can finish authenticating. To learn more, read Configure SMS and Voice Notifications for MFA.One-Time passwords
One-time passwords allow you to use an authenticator application on the user’s personal device, such as Google Authenticator, to generate a one-time password that changes over time and which can be entered as the second factor to validate an account. To learn more, read Configure OTP Notifications for MFA.WebAuthn with security keys
Enable users to perform MFA with FIDO compliant Security Keys (e.g. Yubikey, Google Titan). To learn more, read Configure WebAuthn with Security Keys for MFA.WebAuthn with device biometrics
Enable users to perform MFA using platform authenticators such as are MacBook’s TouchBar, Windows Hello, iOS Touch/FaceId, and Android’s fingerprint/face recognition. To learn more, read Configure WebAuthn with Device Biometrics for MFA.Email notifications
Enable users to perform MFA using one-time passwords delivered through email if the users are enrolled with additional independent authentication factors. To learn more, read Configure Email Notifications for MFA.Cisco Duo security
Cisco Duo is a multi-faceted provider and can only be used if it’s the only factor available for the user. Use your Duo account to manage MFA with Auth0. To learn more, read Configure Cisco Duo Security for MFA.Recovery codes
Recovery codes are unique codes allowing users to regain account access if they cannot access the device or account used for MFA enrollment. To learn more, read Configure Recovery Codes for MFA.Policies
Policies determine when a user will be prompted to complete additional steps to prove they own a particular account. Use policies to define your own level of acceptable risk. You can choose between Never, Use , and Always. You can achieve more refined multi-factor configurations (such as per application, per user, etc.) by using Auth0 Actions. To learn more, read Auth0 Actions.Rules affecting MFA takes precedence over the policy configuration in the Dashboard.
Use cases
There are different ways to manage MFA depending on your environment:- B2B: Your customers manage MFA factors for their users.
- B2C: End users manage their own MFA factors via an My MFA Settings page.
- B2E: You manage MFA factors for your users.