Each user should self-enroll in (MFA). You can enroll in most factors in Your Profile. Device biometrics, however, require progressive enrollment.
Auth0 recommends WebAuthn factors as the most secure and usable authentication methods. To learn more, read FIDO Authentication with WebAuthn.
Admins must enable at least one factor to use MFA. Auth0 highly recommends setting up multiple factors so you can still access your account if you lose your primary device.An ideal setup is to use three factors:
  1. WebAuthn, Guardian, or OTP as the primary method.
  2. One or more SMS numbers as a backup (available only on tenants attached to a subscription plan).
  3. A recovery code.
If you can’t provide your MFA token and you don’t have proper backup methods, your account may be irrecoverable.

Add MFA

To self-enroll for MFA, each Dashboard user must follow these steps:
  1. Click on your username in the top right corner of the Dashboard and click Your Profile.
  2. Find the supported method you want and click + ADD in that row.
    Dashboard - Profile - Multi-Factor - Authentication
  3. Follow the on-screen instructions to complete the enrollment.

Device biometrics

WebAuthn with device biometrics is the only method that you can’t add on the Account Settings page. Instead, Auth0 progressively enrolls all of your WebAuthn-capable devices. Auth0 prompts you to enroll those devices after you enroll any other MFA method. These prompts recur each time you log in to Auth0 Dashboard.
undefined
As part of the enrollment, Auth0 prompts you to name your devices. This makes it easy to manage them from the Account Settings page. Browsers with Javascript disabled or without WebAuthn platform authenticator support can’t enroll or authenticate with device biometrics. The latest versions of popular browsers and operating systems provide support for WebAuthn with Security Keys. To learn more, read the browser support section on webauthn.me.

Recovery codes

Immediately after successfully enabling two-factor authentication, Auth0 prompts you to copy a recovery code. If you lose access to all your enrolled factors, you can use this recovery code to log in to your account. Auth0 recommends copying and printing recovery codes or storing them in a safe place, such as a password manager. If you lose the recovery codes or just want to generate new ones, you can do so from Your Profile.

Log in to the Dashboard with MFA enabled

Logging in with MFA enabled is only slightly different than a normal login. When you enter admin account credentials, a second prompt appears, depending on which type of MFA factors you’ve enabled. If a user loses access to a primary factor, they can click on Select Another Method and try with any of the other factors, including recovery codes. This is why it’s so important to enroll in multiple methods to prevent being locked out of your account. After you successfully add your second authentication factor and you log in from a new device that supports WebAuthn, you see a prompt to “Log in Faster on this Device.” This lets you use that device for multi-factor authentication the next time.

Learn more