auth0-mfa

par auth0

Utiliser lors de l'ajout de MFA, 2FA, codes TOTP, SMS, notifications push, clés d'accès, ou lorsqu'une vérification renforcée est requise pour des opérations sensibles ou pour répondre à des exigences de conformité…

npx skills add https://github.com/auth0/agent-skills --skill auth0-mfa
Télécharger ZIPGitHub
33

Auth0 MFA Guide

Add Multi-Factor Authentication to protect user accounts and require additional verification for sensitive operations.

Overview

What is MFA?

Multi-Factor Authentication (MFA) requires users to provide two or more verification factors to access their accounts. Auth0 supports multiple MFA factors and enables step-up authentication for sensitive operations.

When to Use This Skill

  • Adding MFA to protect user accounts
  • Requiring additional verification for sensitive actions (payments, settings changes)
  • Implementing adaptive/risk-based authentication
  • Meeting compliance requirements (PCI-DSS, SOC2, HIPAA)

MFA Factors Supported

FactorTypeDescription
TOTPSomething you haveTime-based one-time passwords (Google Authenticator, Authy)
SMSSomething you haveOne-time codes via text message
EmailSomething you haveOne-time codes via email
PushSomething you havePush notifications via Auth0 Guardian app
WebAuthnSomething you have/areSecurity keys, biometrics, passkeys
VoiceSomething you haveOne-time codes via phone call
Recovery CodeBackupOne-time use recovery codes

Key Concepts

ConceptDescription
acr_valuesRequest MFA during authentication
amr claimAuthentication Methods Reference - indicates how user authenticated
Step-up authRequire MFA for specific actions after initial login
Adaptive MFAConditionally require MFA based on risk signals

Step 1: Enable MFA in Tenant

Via Auth0 Dashboard

  1. Go to Security → Multi-factor Auth
  2. Enable desired factors (TOTP, SMS, etc.)
  3. Configure Policies:
    • Always - Require MFA for all logins
    • Adaptive - Risk-based MFA
    • Never - Disable MFA (use step-up instead)

Via Auth0 CLI

# View current MFA configuration
auth0 api get "guardian/factors"

# Enable TOTP (One-time Password)
auth0 api put "guardian/factors/otp" --data '{"enabled": true}'

# Enable SMS
auth0 api put "guardian/factors/sms" --data '{"enabled": true}'

# Enable Push notifications
auth0 api put "guardian/factors/push-notification" --data '{"enabled": true}'

# Enable WebAuthn (Roaming - Security Keys)
auth0 api put "guardian/factors/webauthn-roaming" --data '{"enabled": true}'

# Enable WebAuthn (Platform - Biometrics)
auth0 api put "guardian/factors/webauthn-platform" --data '{"enabled": true}'

# Enable Email
auth0 api put "guardian/factors/email" --data '{"enabled": true}'

Configure MFA Policy

# Set MFA policy: "all-applications" or "confidence-score"
auth0 api patch "guardian/policies" --data '["all-applications"]'

Step 2: Implement Step-Up Authentication

Step-up auth requires MFA for sensitive operations without requiring it for every login.

The acr_values Parameter

Request MFA by including acr_values in your authorization request:

acr_values=http://schemas.openid.net/pape/policies/2007/06/multi-factor

Implementation Pattern

The general pattern for all frameworks:

  1. Check if user has already completed MFA (inspect amr claim)
  2. If not, request MFA via acr_values parameter
  3. Proceed with sensitive action once MFA is verified

For complete framework-specific examples, see Examples Guide:

  • React (basic and custom hook)
  • Next.js (App Router)
  • Vue.js
  • Angular

Additional Resources

This skill is split into multiple files for better organization:

Step-Up Examples

Complete code examples for all frameworks:

  • React (basic and custom hook patterns)
  • Next.js (App Router with API routes)
  • Vue.js (composition API)
  • Angular (services and components)

Backend Validation

Learn how to validate MFA status on your backend:

  • Node.js / Express JWT validation
  • Python / Flask validation
  • Middleware examples

Advanced Topics

Advanced MFA implementation patterns:

  • Adaptive MFA with Auth0 Actions
  • Conditional MFA based on risk signals
  • MFA Enrollment API

Reference Guide

Common patterns and troubleshooting:

  • Remember MFA for 30 days
  • MFA for high-value transactions
  • MFA status display
  • Error handling
  • AMR claim values
  • Testing strategies
  • Security considerations

Related Skills

  • auth0-quickstart - Basic Auth0 setup
  • auth0-passkeys - WebAuthn/passkey implementation
  • auth0-actions - Custom authentication logic

References

Plus de skills de auth0

acul-screen-generator
auth0
Génère des implémentations complètes et personnalisées de l'écran de connexion universelle avancée Auth0 (ACUL) en utilisant le SDK React ou Vanilla JS. À utiliser lorsqu'un développeur demande de…
official
auth0-android
auth0
À utiliser lors de l'ajout d'authentification aux applications Android (Kotlin/Java) avec Web Auth, des identifiants protégés par biométrie et MFA - s'intègre…
official
auth0-angular
auth0
À utiliser lors de l'ajout d'authentification aux applications Angular avec des gardes de route et des intercepteurs HTTP - intègre le SDK @auth0/auth0-angular pour les SPA
official
auth0-aspnetcore-api
auth0
Utiliser lors de la sécurisation des points de terminaison d'API Web ASP.NET Core avec validation de jeton JWT Bearer, vérifications de portée/permission ou authentification sans état - s'intègre…
official
auth0-cli
auth0
Référence pour les commandes CLI Auth0 — applications, API, utilisateurs, rôles, organisations, actions, logs, domaines personnalisés, universal-login, terraform, mode API brut, et --json…
official
auth0-expo
auth0
À utiliser lors de l'ajout d'authentification aux applications mobiles Expo (React Native) — connexion, déconnexion, sessions utilisateur, routes protégées, biométrie ou gestion de jetons. S'intègre…
official
auth0-express
auth0
À utiliser lors de l'ajout d'authentification (connexion, déconnexion, routes protégées) aux applications web Express.js - intègre express-openid-connect pour l'authentification basée sur les sessions.
official
auth0-fastapi-api
auth0
Utiliser lors de la sécurisation des points d'API FastAPI avec validation de jeton JWT Bearer, vérifications de portée/permission ou authentification sans état - intègre auth0-fastapi-api pour REST…
official