DEV Community

loading...
Cover image for Setting up MFA with Auth0 Guardian

Setting up MFA with Auth0 Guardian

kleeut profile image Klee Thomas ・3 min read

We all know that adding Multi Factor Authentication (MFA) to our applications is a good idea. It dramatically increases the resilience to systems, protecting against credential based attacks.

Adding MFA to a system can be daunting. One of the advantages of using a platform like Auth0 for your authentication is that the platform can take care of things like doing all the undifferentiated heavy lifting of MFA for you.

In this post I'll go through setting up MFA with Auth0. All of this will be within the Auth0 free tier.

Setting up

I'm going to assume that you have an application set up with authentication going through Auth0. If you want some help with setting this up you can read this post on getting started with Auth0 and React.

Good news setting up MFA with Auth0 doesn't require any front end changes, we can do the entire set up within the Auth0 console.

Start by opening the console and logging in at manage.auth0.com.

Open the MFA page under the Security menu.

Open the MFA page under the Security menu

Select the Push via Auth0 Guardian link. For this example we'll use this factor since it's free to use.
Select Auth0 Guardian

Flick the switch to turn it on and then go Back to Multi-factor Authentication.
Turn on Auth0 Guardian

At the bottom of the page set Require Multi-factor Auth to Always.

Set MFA to always
Click save.

Now all users will be required to use Multi-factor Authentication when using the application. For existing users a trust on first use model will be used and users will be required to set up MFA the next time they log in.

User experience

After a user has registered (or logged in for existing users). They will be asked to download the auth0 guardian app from either the Android Play Store or Apple App Store.

User is asked to download the Auth0 Guardian app from an app store

When they click that they have downloaded the Guardian App they are presented with a QR code that they need to scan from within the guardian app.

QR code is displayed to user

Once the user has completed this they are shown a recovery code to bypass MFA should they lose access to their phone or the Guardian app.

Display recovery code

When the user marks that they have recorded the recovery code Auth0 will send them a push notification to confirm that they are able to prove who they are.

Send Push

Once the user has accepted that is was them trying to log in then they are shown a screen telling them that they are all set up and will need to have their device when attempting to log in in the future.

User is all set up with MFA

Resetting MFA

Inevitably your users are going to need to have you manually intervene and remove or reset MFA on their account.

This can be done in the Auth0 console, select Users under the User Management menu item.

Select the users submenu

Find the user that you want to reset MFA for. This will open the users settings.
Scroll down the page to the Multi-Factor Authentication section.
Select Reset MFA

Select Reset MFA

Confirm that you want to reset it even though it cant be undone.

Alt Text

Now when your user logs in again they will be required to re-enrol MFA.

Discussion (0)

pic
Editor guide