Labsco
auth0 logo

auth0-mfa

37

by auth0 · part of auth0/agent-skills

Use when adding MFA, 2FA, TOTP, SMS codes, push notifications, passkeys, or when requiring step-up verification for sensitive operations or meeting compliance…

🔥🔥🔥🔥✓ VerifiedFreeQuick setup
🧩 One of 7 skills in the auth0/agent-skills package — works on its own, and pairs well with its siblings.

Use when adding MFA, 2FA, TOTP, SMS codes, push notifications, passkeys, or when requiring step-up verification for sensitive operations or meeting compliance…

Inspect the full instructions your agent will receiveExpand

This is the exact playbook injected into your agent when the skill activates — shown here so you can audit it before installing. You don't need to read it to use the skill.

by auth0

Use when adding MFA, 2FA, TOTP, SMS codes, push notifications, passkeys, or when requiring step-up verification for sensitive operations or meeting compliance… npx skills add https://github.com/auth0/agent-skills --skill auth0-mfa Download ZIPGitHub37

Auth0 MFA Guide

Add Multi-Factor Authentication to protect user accounts and require additional verification for sensitive operations.

Overview

What is MFA?

Multi-Factor Authentication (MFA) requires users to provide two or more verification factors to access their accounts. Auth0 supports multiple MFA factors and enables step-up authentication for sensitive operations.

When to Use This Skill

  • Adding MFA to protect user accounts

  • Requiring additional verification for sensitive actions (payments, settings changes)

  • Implementing adaptive/risk-based authentication

  • Meeting compliance requirements (PCI-DSS, SOC2, HIPAA)

MFA Factors Supported

Factor Type Description TOTP Something you have Time-based one-time passwords (Google Authenticator, Authy) SMS Something you have One-time codes via text message Email Something you have One-time codes via email Push Something you have Push notifications via Auth0 Guardian app WebAuthn Something you have/are Security keys, biometrics, passkeys Voice Something you have One-time codes via phone call Recovery Code Backup One-time use recovery codes

Key Concepts

Concept Description acr_values Request MFA during authentication amr claim Authentication Methods Reference - indicates how user authenticated Step-up auth Require MFA for specific actions after initial login Adaptive MFA Conditionally require MFA based on risk signals

Step 1: Enable MFA in Tenant

Via Auth0 Dashboard

  • Go to Security → Multi-factor Auth

  • Enable desired factors (TOTP, SMS, etc.)

  • Configure Policies:

  • Always - Require MFA for all logins

  • Adaptive - Risk-based MFA

  • Never - Disable MFA (use step-up instead)

Via Auth0 CLI

Copy & paste — that's it
# View current MFA configuration
auth0 api get "guardian/factors"

# Enable TOTP (One-time Password)
auth0 api put "guardian/factors/otp" --data '{"enabled": true}'

# Enable SMS
auth0 api put "guardian/factors/sms" --data '{"enabled": true}'

# Enable Push notifications
auth0 api put "guardian/factors/push-notification" --data '{"enabled": true}'

# Enable WebAuthn (Roaming - Security Keys)
auth0 api put "guardian/factors/webauthn-roaming" --data '{"enabled": true}'

# Enable WebAuthn (Platform - Biometrics)
auth0 api put "guardian/factors/webauthn-platform" --data '{"enabled": true}'

# Enable Email
auth0 api put "guardian/factors/email" --data '{"enabled": true}'

Configure MFA Policy

Copy & paste — that's it
# Set MFA policy: "all-applications" or "confidence-score"
auth0 api patch "guardian/policies" --data '["all-applications"]'

Step 2: Implement Step-Up Authentication

Step-up auth requires MFA for sensitive operations without requiring it for every login.

The acr_values Parameter

Request MFA by including acr_values in your authorization request:

Copy & paste — that's it
acr_values=http://schemas.openid.net/pape/policies/2007/06/multi-factor

Implementation Pattern

The general pattern for all frameworks:

  • Check if user has already completed MFA (inspect amr claim)

  • If not, request MFA via acr_values parameter

  • Proceed with sensitive action once MFA is verified

For complete framework-specific examples, see Examples Guide:

  • React (basic and custom hook)

  • Next.js (App Router)

  • Vue.js

  • Angular

Additional Resources

This skill is split into multiple files for better organization:

Step-Up Examples

Complete code examples for all frameworks:

  • React (basic and custom hook patterns)

  • Next.js (App Router with API routes)

  • Vue.js (composition API)

  • Angular (services and components)

Backend Validation

Learn how to validate MFA status on your backend:

  • Node.js / Express JWT validation

  • Python / Flask validation

  • Middleware examples

Advanced Topics

Advanced MFA implementation patterns:

  • Adaptive MFA with Auth0 Actions

  • Conditional MFA based on risk signals

  • MFA Enrollment API

Reference Guide

Common patterns and troubleshooting:

  • Remember MFA for 30 days

  • MFA for high-value transactions

  • MFA status display

  • Error handling

  • AMR claim values

  • Testing strategies

  • Security considerations

Related Skills

  • auth0-quickstart - Basic Auth0 setup

  • auth0-passkeys - WebAuthn/passkey implementation

  • auth0-actions - Custom authentication logic

References