
auth0-mfa
★ 37by auth0 · part of auth0/agent-skills
Use when adding MFA, 2FA, TOTP, SMS codes, push notifications, passkeys, or when requiring step-up verification for sensitive operations or meeting compliance…
Use when adding MFA, 2FA, TOTP, SMS codes, push notifications, passkeys, or when requiring step-up verification for sensitive operations or meeting compliance…
Inspect the full instructions your agent will receiveExpandCollapse
This is the exact playbook injected into your agent when the skill activates — shown here so you can audit it before installing. You don't need to read it to use the skill.
by auth0
Use when adding MFA, 2FA, TOTP, SMS codes, push notifications, passkeys, or when requiring step-up verification for sensitive operations or meeting compliance…
npx skills add https://github.com/auth0/agent-skills --skill auth0-mfa
Download ZIPGitHub37
Auth0 MFA Guide
Add Multi-Factor Authentication to protect user accounts and require additional verification for sensitive operations.
Overview
What is MFA?
Multi-Factor Authentication (MFA) requires users to provide two or more verification factors to access their accounts. Auth0 supports multiple MFA factors and enables step-up authentication for sensitive operations.
When to Use This Skill
-
Adding MFA to protect user accounts
-
Requiring additional verification for sensitive actions (payments, settings changes)
-
Implementing adaptive/risk-based authentication
-
Meeting compliance requirements (PCI-DSS, SOC2, HIPAA)
MFA Factors Supported
Factor Type Description TOTP Something you have Time-based one-time passwords (Google Authenticator, Authy) SMS Something you have One-time codes via text message Email Something you have One-time codes via email Push Something you have Push notifications via Auth0 Guardian app WebAuthn Something you have/are Security keys, biometrics, passkeys Voice Something you have One-time codes via phone call Recovery Code Backup One-time use recovery codes
Key Concepts
Concept Description
acr_values Request MFA during authentication
amr claim Authentication Methods Reference - indicates how user authenticated
Step-up auth Require MFA for specific actions after initial login
Adaptive MFA Conditionally require MFA based on risk signals
Step 1: Enable MFA in Tenant
Via Auth0 Dashboard
-
Go to Security → Multi-factor Auth
-
Enable desired factors (TOTP, SMS, etc.)
-
Configure Policies:
-
Always - Require MFA for all logins
-
Adaptive - Risk-based MFA
-
Never - Disable MFA (use step-up instead)
Via Auth0 CLI
# View current MFA configuration
auth0 api get "guardian/factors"
# Enable TOTP (One-time Password)
auth0 api put "guardian/factors/otp" --data '{"enabled": true}'
# Enable SMS
auth0 api put "guardian/factors/sms" --data '{"enabled": true}'
# Enable Push notifications
auth0 api put "guardian/factors/push-notification" --data '{"enabled": true}'
# Enable WebAuthn (Roaming - Security Keys)
auth0 api put "guardian/factors/webauthn-roaming" --data '{"enabled": true}'
# Enable WebAuthn (Platform - Biometrics)
auth0 api put "guardian/factors/webauthn-platform" --data '{"enabled": true}'
# Enable Email
auth0 api put "guardian/factors/email" --data '{"enabled": true}'
Configure MFA Policy
# Set MFA policy: "all-applications" or "confidence-score"
auth0 api patch "guardian/policies" --data '["all-applications"]'
Step 2: Implement Step-Up Authentication
Step-up auth requires MFA for sensitive operations without requiring it for every login.
The acr_values Parameter
Request MFA by including acr_values in your authorization request:
acr_values=http://schemas.openid.net/pape/policies/2007/06/multi-factor
Implementation Pattern
The general pattern for all frameworks:
-
Check if user has already completed MFA (inspect
amrclaim) -
If not, request MFA via
acr_valuesparameter -
Proceed with sensitive action once MFA is verified
For complete framework-specific examples, see Examples Guide:
-
React (basic and custom hook)
-
Next.js (App Router)
-
Vue.js
-
Angular
Additional Resources
This skill is split into multiple files for better organization:
Step-Up Examples
Complete code examples for all frameworks:
-
React (basic and custom hook patterns)
-
Next.js (App Router with API routes)
-
Vue.js (composition API)
-
Angular (services and components)
Backend Validation
Learn how to validate MFA status on your backend:
-
Node.js / Express JWT validation
-
Python / Flask validation
-
Middleware examples
Advanced Topics
Advanced MFA implementation patterns:
-
Adaptive MFA with Auth0 Actions
-
Conditional MFA based on risk signals
-
MFA Enrollment API
Reference Guide
Common patterns and troubleshooting:
-
Remember MFA for 30 days
-
MFA for high-value transactions
-
MFA status display
-
Error handling
-
AMR claim values
-
Testing strategies
-
Security considerations
Related Skills
-
auth0-quickstart- Basic Auth0 setup -
auth0-passkeys- WebAuthn/passkey implementation -
auth0-actions- Custom authentication logic
References
npx skills add https://github.com/auth0/agent-skills --skill auth0-mfaRun this in your project — your agent picks the skill up automatically.
No common issues documented yet. If you hit a problem, the repository's GitHub Issues page is the best place to look.