Auth0 MFA Guide Add Multi-Factor Authentication to protect user accounts and require additional verification for sensitive operations. Overview What is MFA? Multi-Factor Authentication (MFA) requires users to provide two or more verification factors to access their accounts. Auth0 supports multiple MFA factors and enables step-up authentication for sensitive operations. When to Use This Skill Adding MFA to protect user accounts Requiring additional verification for sensitive actions (payments, settings changes) Implementing adaptive/risk-based authentication Meeting compliance requirements (PCI-DSS, SOC2, HIPAA) MFA Factors Supported Factor Type Description TOTP Something you have Time-based one-time passwords (Google Authenticator, Authy) SMS Something you have One-time codes via text message Email Something you have One-time codes via email Push Something you have Push notifications via Auth0 Guardian app WebAuthn Something you have/are Security keys, biometrics, passkeys Voice Something you have One-time codes via phone call Recovery Code Backup One-time use recovery codes Key Concepts Concept Description acr_values Request MFA during authentication amr claim Authentication Methods Reference - indicates how user authenticated Step-up auth Require MFA for specific actions after initial login Adaptive MFA Conditionally require MFA based on risk signals Step 1: Enable MFA in Tenant Via Auth0 Dashboard Go to Security → Multi-factor Auth Enable desired factors (TOTP, SMS, etc.) Configure Policies : Always - Require MFA for all logins Adaptive - Risk-based MFA Never - Disable MFA (use step-up instead) Via Auth0 CLI
View current MFA configuration
auth0 api get "guardian/factors"
Enable TOTP (One-time Password)
auth0 api put "guardian/factors/otp" --data '{"enabled": true}'
Enable SMS
auth0 api put "guardian/factors/sms" --data '{"enabled": true}'
Enable Push notifications
auth0 api put "guardian/factors/push-notification" --data '{"enabled": true}'
Enable WebAuthn (Roaming - Security Keys)
auth0 api put "guardian/factors/webauthn-roaming" --data '{"enabled": true}'
Enable WebAuthn (Platform - Biometrics)
auth0 api put "guardian/factors/webauthn-platform" --data '{"enabled": true}'
Enable Email
auth0 api put "guardian/factors/email" --data '{"enabled": true}' Configure MFA Policy
Set MFA policy: "all-applications" or "confidence-score"
auth0 api patch "guardian/policies" --data '["all-applications"]' Step 2: Implement Step-Up Authentication Step-up auth requires MFA for sensitive operations without requiring it for every login. The acr_values Parameter Request MFA by including acr_values in your authorization request: acr_values=http://schemas.openid.net/pape/policies/2007/06/multi-factor Implementation Pattern The general pattern for all frameworks: Check if user has already completed MFA (inspect amr claim) If not, request MFA via acr_values parameter Proceed with sensitive action once MFA is verified For complete framework-specific examples, see Examples Guide : React (basic and custom hook) Next.js (App Router) Vue.js Angular Additional Resources This skill is split into multiple files for better organization: Step-Up Examples Complete code examples for all frameworks: React (basic and custom hook patterns) Next.js (App Router with API routes) Vue.js (composition API) Angular (services and components) Backend Validation Learn how to validate MFA status on your backend: Node.js / Express JWT validation Python / Flask validation Middleware examples Advanced Topics Advanced MFA implementation patterns: Adaptive MFA with Auth0 Actions Conditional MFA based on risk signals MFA Enrollment API Reference Guide Common patterns and troubleshooting: Remember MFA for 30 days MFA for high-value transactions MFA status display Error handling AMR claim values Testing strategies Security considerations