🎁 Get the FREE AI Skills Starter Guide β€” Subscribe β†’
BytesAgainBytesAgain
πŸ¦€ ClawHub

Auth0 Mfa

by @auth0

Use when adding MFA, 2FA, TOTP, SMS codes, push notifications, passkeys, or when requiring step-up verification for sensitive operations or meeting complianc...

Versionv1.0.1
Downloads367
Installs2
TERMINAL
clawhub install auth0-mfa

πŸ“– About This Skill


name: auth0-mfa description: Use when adding MFA, 2FA, TOTP, SMS codes, push notifications, passkeys, or when requiring step-up verification for sensitive operations or meeting compliance requirements (HIPAA, PCI-DSS) - covers adaptive and risk-based authentication with Auth0. license: Apache-2.0 metadata: author: Auth0 version: '1.0.1' openclaw: emoji: "\U0001F510" homepage: https://github.com/auth0/agent-skills requires: bins: - auth0 os: - darwin - linux install: - id: brew kind: brew package: auth0/auth0-cli/auth0 bins: [auth0] label: 'Install Auth0 CLI (brew)'

Auth0 MFA Guide

Add Multi-Factor Authentication to protect user accounts and require additional verification for sensitive operations.


Overview

What is MFA?

Multi-Factor Authentication (MFA) requires users to provide two or more verification factors to access their accounts. Auth0 supports multiple MFA factors and enables step-up authentication for sensitive operations.

When to Use This Skill

  • Adding MFA to protect user accounts
  • Requiring additional verification for sensitive actions (payments, settings changes)
  • Implementing adaptive/risk-based authentication
  • Meeting compliance requirements (PCI-DSS, SOC2, HIPAA)
  • MFA Factors Supported

    | Factor | Type | Description | |--------|------|-------------| | TOTP | Something you have | Time-based one-time passwords (Google Authenticator, Authy) | | SMS | Something you have | One-time codes via text message | | Email | Something you have | One-time codes via email | | Push | Something you have | Push notifications via Auth0 Guardian app | | WebAuthn | Something you have/are | Security keys, biometrics, passkeys | | Voice | Something you have | One-time codes via phone call | | Recovery Code | Backup | One-time use recovery codes |

    Key Concepts

    | Concept | Description | |---------|-------------| | acr_values | Request MFA during authentication | | amr claim | Authentication Methods Reference - indicates how user authenticated | | Step-up auth | Require MFA for specific actions after initial login | | Adaptive MFA | Conditionally require MFA based on risk signals |


    Step 1: Enable MFA in Tenant

    Via Auth0 Dashboard

    1. Go to Security β†’ Multi-factor Auth 2. Enable desired factors (TOTP, SMS, etc.) 3. Configure Policies: - Always - Require MFA for all logins - Adaptive - Risk-based MFA - Never - Disable MFA (use step-up instead)

    Via Auth0 CLI

    # View current MFA configuration
    auth0 api get "guardian/factors"

    Enable TOTP (One-time Password)

    auth0 api put "guardian/factors/otp" --data '{"enabled": true}'

    Enable SMS

    auth0 api put "guardian/factors/sms" --data '{"enabled": true}'

    Enable Push notifications

    auth0 api put "guardian/factors/push-notification" --data '{"enabled": true}'

    Enable WebAuthn (Roaming - Security Keys)

    auth0 api put "guardian/factors/webauthn-roaming" --data '{"enabled": true}'

    Enable WebAuthn (Platform - Biometrics)

    auth0 api put "guardian/factors/webauthn-platform" --data '{"enabled": true}'

    Enable Email

    auth0 api put "guardian/factors/email" --data '{"enabled": true}'

    Configure MFA Policy

    # Set MFA policy: "all-applications" or "confidence-score"
    auth0 api patch "guardian/policies" --data '["all-applications"]'
    


    Step 2: Implement Step-Up Authentication

    Step-up auth requires MFA for sensitive operations without requiring it for every login.

    The acr_values Parameter

    Request MFA by including acr_values in your authorization request:

    acr_values=http://schemas.openid.net/pape/policies/2007/06/multi-factor
    

    Implementation Pattern

    The general pattern for all frameworks:

    1. Check if user has already completed MFA (inspect amr claim) 2. If not, request MFA via acr_values parameter 3. Proceed with sensitive action once MFA is verified

    For complete framework-specific examples, see Examples Guide:

  • React (basic and custom hook)
  • Next.js (App Router)
  • Vue.js
  • Angular

  • Additional Resources

    This skill is split into multiple files for better organization:

    Step-Up Examples

    Complete code examples for all frameworks:
  • React (basic and custom hook patterns)
  • Next.js (App Router with API routes)
  • Vue.js (composition API)
  • Angular (services and components)
  • Backend Validation

    Learn how to validate MFA status on your backend:
  • Node.js / Express JWT validation
  • Python / Flask validation
  • Middleware examples
  • Advanced Topics

    Advanced MFA implementation patterns:
  • Adaptive MFA with Auth0 Actions
  • Conditional MFA based on risk signals
  • MFA Enrollment API
  • Reference Guide

    Common patterns and troubleshooting:
  • Remember MFA for 30 days
  • MFA for high-value transactions
  • MFA status display
  • Error handling
  • AMR claim values
  • Testing strategies
  • Security considerations

  • Related Skills

  • auth0-quickstart - Basic Auth0 setup
  • auth0-passkeys - WebAuthn/passkey implementation
  • auth0-actions - Custom authentication logic

  • References

  • Auth0 MFA Documentation
  • Step-Up Authentication
  • MFA API
  • acr_values Parameter