Auth0 Mfa
by @auth0
Use when adding MFA, 2FA, TOTP, SMS codes, push notifications, passkeys, or when requiring step-up verification for sensitive operations or meeting complianc...
clawhub install auth0-mfaπ About This Skill
name: auth0-mfa description: Use when adding MFA, 2FA, TOTP, SMS codes, push notifications, passkeys, or when requiring step-up verification for sensitive operations or meeting compliance requirements (HIPAA, PCI-DSS) - covers adaptive and risk-based authentication with Auth0. license: Apache-2.0 metadata: author: Auth0
Auth0 MFA Guide
Add Multi-Factor Authentication to protect user accounts and require additional verification for sensitive operations.
Overview
What is MFA?
Multi-Factor Authentication (MFA) requires users to provide two or more verification factors to access their accounts. Auth0 supports multiple MFA factors and enables step-up authentication for sensitive operations.
When to Use This Skill
MFA Factors Supported
| Factor | Type | Description | |--------|------|-------------| | TOTP | Something you have | Time-based one-time passwords (Google Authenticator, Authy) | | SMS | Something you have | One-time codes via text message | | Email | Something you have | One-time codes via email | | Push | Something you have | Push notifications via Auth0 Guardian app | | WebAuthn | Something you have/are | Security keys, biometrics, passkeys | | Voice | Something you have | One-time codes via phone call | | Recovery Code | Backup | One-time use recovery codes |
Key Concepts
| Concept | Description |
|---------|-------------|
| acr_values | Request MFA during authentication |
| amr claim | Authentication Methods Reference - indicates how user authenticated |
| Step-up auth | Require MFA for specific actions after initial login |
| Adaptive MFA | Conditionally require MFA based on risk signals |
Step 1: Enable MFA in Tenant
Via Auth0 Dashboard
1. Go to Security β Multi-factor Auth 2. Enable desired factors (TOTP, SMS, etc.) 3. Configure Policies: - Always - Require MFA for all logins - Adaptive - Risk-based MFA - Never - Disable MFA (use step-up instead)
Via Auth0 CLI
# View current MFA configuration
auth0 api get "guardian/factors"Enable TOTP (One-time Password)
auth0 api put "guardian/factors/otp" --data '{"enabled": true}'Enable SMS
auth0 api put "guardian/factors/sms" --data '{"enabled": true}'Enable Push notifications
auth0 api put "guardian/factors/push-notification" --data '{"enabled": true}'Enable WebAuthn (Roaming - Security Keys)
auth0 api put "guardian/factors/webauthn-roaming" --data '{"enabled": true}'Enable WebAuthn (Platform - Biometrics)
auth0 api put "guardian/factors/webauthn-platform" --data '{"enabled": true}'Enable Email
auth0 api put "guardian/factors/email" --data '{"enabled": true}'
Configure MFA Policy
# Set MFA policy: "all-applications" or "confidence-score"
auth0 api patch "guardian/policies" --data '["all-applications"]'
Step 2: Implement Step-Up Authentication
Step-up auth requires MFA for sensitive operations without requiring it for every login.
The acr_values Parameter
Request MFA by including acr_values in your authorization request:
acr_values=http://schemas.openid.net/pape/policies/2007/06/multi-factor
Implementation Pattern
The general pattern for all frameworks:
1. Check if user has already completed MFA (inspect amr claim)
2. If not, request MFA via acr_values parameter
3. Proceed with sensitive action once MFA is verified
For complete framework-specific examples, see Examples Guide:
Additional Resources
This skill is split into multiple files for better organization:
Step-Up Examples
Complete code examples for all frameworks:Backend Validation
Learn how to validate MFA status on your backend:Advanced Topics
Advanced MFA implementation patterns:Reference Guide
Common patterns and troubleshooting:Related Skills
auth0-quickstart - Basic Auth0 setupauth0-passkeys - WebAuthn/passkey implementationauth0-actions - Custom authentication logic