We all know that adding Multi Factor Authentication (MFA) to our applications is a good idea. It dramatically increases the resilience to systems, protecting against credential based attacks.

Adding MFA to a system can be daunting. One of the advantages of using a platform like Auth0 for your authentication is that the platform can take care of things like doing all the undifferentiated heavy lifting of MFA for you.

In this post I'll go through setting up MFA with Auth0. All of this will be within the Auth0 free tier.

Setting up

I'm going to assume that you have an application set up with authentication going through Auth0. If you want some help with setting this up you can read this post on getting started with Auth0 and React.

Good news setting up MFA with Auth0 doesn't require any front end changes, we can do the entire set up within the Auth0 console.

Start by opening the console and logging in at manage.auth0.com.

Open the MFA page under the Security menu.

Select the Push via Auth0 Guardian link. For this example we'll use this factor since it's free to use.

Flick the switch to turn it on and then go Back to Multi-factor Authentication.

At the bottom of the page set Require Multi-factor Auth to Always.


Click save.

Now all users will be required to use Multi-factor Authentication when using the application. For existing users a trust on first use model will be used and users will be required to set up MFA the next time they log in.

User experience

After a user has registered (or logged in for existing users). They will be asked to download the auth0 guardian app from either the Android Play Store or Apple App Store.

When they click that they have downloaded the Guardian App they are presented with a QR code that they need to scan from within the guardian app.

Once the user has completed this they are shown a recovery code to bypass MFA should they lose access to their phone or the Guardian app.

When the user marks that they have recorded the recovery code Auth0 will send them a push notification to confirm that they are able to prove who they are.

Once the user has accepted that is was them trying to log in then they are shown a screen telling them that they are all set up and will need to have their device when attempting to log in in the future.

Resetting MFA

Inevitably your users are going to need to have you manually intervene and remove or reset MFA on their account.

This can be done in the Auth0 console, select Users under the User Management menu item.

Find the user that you want to reset MFA for. This will open the users settings.
Scroll down the page to the Multi-Factor Authentication section.
Select Reset MFA

Confirm that you want to reset it even though it cant be undone.

Now when your user logs in again they will be required to re-enrol MFA.