auth0/auth0-mfa

Use when adding MFA, 2FA, TOTP, SMS codes, push notifications, passkeys, or when requiring step-up verification for sensitive operations or meeting compliance requirements (HIPAA, PCI-DSS) - covers adaptive and risk-based authentication with Auth0.

0.1.0

Apache-2.0

Agent Skills

npx @senso-ai/shipables install auth0/auth0-mfa

Auth0 MFA Guide

Add Multi-Factor Authentication to protect user accounts and require additional verification for sensitive operations.

Overview

What is MFA?

Multi-Factor Authentication (MFA) requires users to provide two or more verification factors to access their accounts. Auth0 supports multiple MFA factors and enables step-up authentication for sensitive operations.

When to Use This Skill

Adding MFA to protect user accounts
Requiring additional verification for sensitive actions (payments, settings changes)
Implementing adaptive/risk-based authentication
Meeting compliance requirements (PCI-DSS, SOC2, HIPAA)

MFA Factors Supported

Factor	Type	Description
TOTP	Something you have	Time-based one-time passwords (Google Authenticator, Authy)
SMS	Something you have	One-time codes via text message
Email	Something you have	One-time codes via email
Push	Something you have	Push notifications via Auth0 Guardian app
WebAuthn	Something you have/are	Security keys, biometrics, passkeys
Voice	Something you have	One-time codes via phone call
Recovery Code	Backup	One-time use recovery codes

Key Concepts

Concept	Description
`acr_values`	Request MFA during authentication
`amr` claim	Authentication Methods Reference - indicates how user authenticated
Step-up auth	Require MFA for specific actions after initial login
Adaptive MFA	Conditionally require MFA based on risk signals

Step 1: Enable MFA in Tenant

Via Auth0 Dashboard

Go to Security → Multi-factor Auth
Enable desired factors (TOTP, SMS, etc.)
Configure Policies:
- Always - Require MFA for all logins
- Adaptive - Risk-based MFA
- Never - Disable MFA (use step-up instead)

Via Auth0 CLI

# View current MFA configuration
auth0 api get "guardian/factors"

# Enable TOTP (One-time Password)
auth0 api put "guardian/factors/otp" --data '{"enabled": true}'

# Enable SMS
auth0 api put "guardian/factors/sms" --data '{"enabled": true}'

# Enable Push notifications
auth0 api put "guardian/factors/push-notification" --data '{"enabled": true}'

# Enable WebAuthn (Roaming - Security Keys)
auth0 api put "guardian/factors/webauthn-roaming" --data '{"enabled": true}'

# Enable WebAuthn (Platform - Biometrics)
auth0 api put "guardian/factors/webauthn-platform" --data '{"enabled": true}'

# Enable Email
auth0 api put "guardian/factors/email" --data '{"enabled": true}'

Configure MFA Policy

# Set MFA policy: "all-applications" or "confidence-score"
auth0 api patch "guardian/policies" --data '["all-applications"]'

Step 2: Implement Step-Up Authentication

Step-up auth requires MFA for sensitive operations without requiring it for every login.

The `acr_values` Parameter

Request MFA by including acr_values in your authorization request:

acr_values=http://schemas.openid.net/pape/policies/2007/06/multi-factor

Implementation Pattern

The general pattern for all frameworks:

Check if user has already completed MFA (inspect amr claim)
If not, request MFA via acr_values parameter
Proceed with sensitive action once MFA is verified

For complete framework-specific examples, see Examples Guide:

React (basic and custom hook)
Next.js (App Router)
Vue.js
Angular

Additional Resources

This skill is split into multiple files for better organization:

Step-Up Examples

Complete code examples for all frameworks:

React (basic and custom hook patterns)
Next.js (App Router with API routes)
Vue.js (composition API)
Angular (services and components)

Backend Validation

Learn how to validate MFA status on your backend:

Node.js / Express JWT validation
Python / Flask validation
Middleware examples

Advanced Topics

Advanced MFA implementation patterns:

Adaptive MFA with Auth0 Actions
Conditional MFA based on risk signals
MFA Enrollment API

Reference Guide

Common patterns and troubleshooting:

Remember MFA for 30 days
MFA for high-value transactions
MFA status display
Error handling
AMR claim values
Testing strategies
Security considerations

Related Skills

auth0-quickstart - Basic Auth0 setup
auth0-passkeys - WebAuthn/passkey implementation
auth0-actions - Custom authentication logic

References

auth0/auth0-mfa — Use when adding MFA, 2FA, TOTP, SMS codes, push notifications, passkeys, or when requiring step-up verification for sensitive operations or meeting compliance requirements (HIPAA, PCI-DSS) - covers adaptive and risk-based authentication with Auth0. | Shipables

auth0/auth0-mfa

auth0/auth0-mfa

Auth0 MFA Guide

Overview

What is MFA?

When to Use This Skill

MFA Factors Supported

Key Concepts

Step 1: Enable MFA in Tenant

Via Auth0 Dashboard

Via Auth0 CLI

Configure MFA Policy

Step 2: Implement Step-Up Authentication

The `acr_values` Parameter

Implementation Pattern

Additional Resources

Step-Up Examples

Backend Validation

Advanced Topics

Reference Guide

Related Skills

References

Keywords

Categories

Repository

auth0/auth0-mfa

auth0/auth0-mfa

Auth0 MFA Guide

Overview

What is MFA?

When to Use This Skill

MFA Factors Supported

Key Concepts

Step 1: Enable MFA in Tenant

Via Auth0 Dashboard

Via Auth0 CLI

Configure MFA Policy

Step 2: Implement Step-Up Authentication

The acr_values Parameter

Implementation Pattern

Additional Resources

Step-Up Examples

Backend Validation

Advanced Topics

Reference Guide

Related Skills

References

Keywords

Categories

Repository

The `acr_values` Parameter