auth0/auth0-mfa
plugins/auth0/skills/auth0-mfa/SKILL.md
Use when adding MFA, 2FA, TOTP, SMS codes, push notifications, passkeys, or when requiring step-up verification for sensitive operations or meeting compliance requirements (HIPAA, PCI-DSS) - covers adaptive and risk-based authentication with Auth0.
$ install --global
skillsauthnpx skillsauth add auth0/agent-skills auth0-mfaInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 29, 2026, 2:51 AM316.2s5 files scanned
SKILL.md
- name:
- auth0-mfa
- description:
- Use when adding MFA, 2FA, TOTP, SMS codes, push notifications, passkeys, or when requiring step-up verification for sensitive operations or meeting compliance requirements (HIPAA, PCI-DSS) - covers adaptive and risk-based authentication with Auth0.
- license:
- Apache-2.0
- author:
- Auth0 <[email protected]>
- version:
- 1.0.0
- emoji:
- \U0001F510
- homepage:
- https://github.com/auth0/agent-skills
- - id:
- brew
- kind:
- brew
- package:
- auth0/auth0-cli/auth0
- bins:
- [auth0]
- label:
- Install Auth0 CLI (brew)
Auth0 MFA Guide
Add Multi-Factor Authentication to protect user accounts and require additional verification for sensitive operations.
Overview
What is MFA?
Multi-Factor Authentication (MFA) requires users to provide two or more verification factors to access their accounts. Auth0 supports multiple MFA factors and enables step-up authentication for sensitive operations.
When to Use This Skill
- Adding MFA to protect user accounts
- Requiring additional verification for sensitive actions (payments, settings changes)
- Implementing adaptive/risk-based authentication
- Meeting compliance requirements (PCI-DSS, SOC2, HIPAA)
MFA Factors Supported
| Factor | Type | Description | |--------|------|-------------| | TOTP | Something you have | Time-based one-time passwords (Google Authenticator, Authy) | | SMS | Something you have | One-time codes via text message | | Email | Something you have | One-time codes via email | | Push | Something you have | Push notifications via Auth0 Guardian app | | WebAuthn | Something you have/are | Security keys, biometrics, passkeys | | Voice | Something you have | One-time codes via phone call | | Recovery Code | Backup | One-time use recovery codes |
Key Concepts
| Concept | Description |
|---------|-------------|
| acr_values | Request MFA during authentication |
| amr claim | Authentication Methods Reference - indicates how user authenticated |
| Step-up auth | Require MFA for specific actions after initial login |
| Adaptive MFA | Conditionally require MFA based on risk signals |
Step 1: Enable MFA in Tenant
Via Auth0 Dashboard
- Go to Security → Multi-factor Auth
- Enable desired factors (TOTP, SMS, etc.)
- Configure Policies:
- Always - Require MFA for all logins
- Adaptive - Risk-based MFA
- Never - Disable MFA (use step-up instead)
Via Auth0 CLI
# View current MFA configuration
auth0 api get "guardian/factors"
# Enable TOTP (One-time Password)
auth0 api put "guardian/factors/otp" --data '{"enabled": true}'
# Enable SMS
auth0 api put "guardian/factors/sms" --data '{"enabled": true}'
# Enable Push notifications
auth0 api put "guardian/factors/push-notification" --data '{"enabled": true}'
# Enable WebAuthn (Roaming - Security Keys)
auth0 api put "guardian/factors/webauthn-roaming" --data '{"enabled": true}'
# Enable WebAuthn (Platform - Biometrics)
auth0 api put "guardian/factors/webauthn-platform" --data '{"enabled": true}'
# Enable Email
auth0 api put "guardian/factors/email" --data '{"enabled": true}'
Configure MFA Policy
# Set MFA policy: "all-applications" or "confidence-score"
auth0 api patch "guardian/policies" --data '["all-applications"]'
Step 2: Implement Step-Up Authentication
Step-up auth requires MFA for sensitive operations without requiring it for every login.
The acr_values Parameter
Request MFA by including acr_values in your authorization request:
acr_values=http://schemas.openid.net/pape/policies/2007/06/multi-factor
Implementation Pattern
The general pattern for all frameworks:
- Check if user has already completed MFA (inspect
amrclaim) - If not, request MFA via
acr_valuesparameter - Proceed with sensitive action once MFA is verified
For complete framework-specific examples, see Examples Guide:
- React (basic and custom hook)
- Next.js (App Router)
- Vue.js
- Angular
Additional Resources
This skill is split into multiple files for better organization:
Step-Up Examples
Complete code examples for all frameworks:
- React (basic and custom hook patterns)
- Next.js (App Router with API routes)
- Vue.js (composition API)
- Angular (services and components)
Backend Validation
Learn how to validate MFA status on your backend:
- Node.js / Express JWT validation
- Python / Flask validation
- Middleware examples
Advanced Topics
Advanced MFA implementation patterns:
- Adaptive MFA with Auth0 Actions
- Conditional MFA based on risk signals
- MFA Enrollment API
Reference Guide
Common patterns and troubleshooting:
- Remember MFA for 30 days
- MFA for high-value transactions
- MFA status display
- Error handling
- AMR claim values
- Testing strategies
- Security considerations
Related Skills
auth0-quickstart- Basic Auth0 setupauth0-passkeys- WebAuthn/passkey implementationauth0-actions- Custom authentication logic
References
- Auth0 MFA Documentation
- Step-Up Authentication
- MFA API
- acr_values Parameter
Related Skills
auth0/auth0-laravel
development
VerifiedTrustedCommunity
Use when adding login, logout, and user profile to a Laravel web application using session-based authentication - integrates auth0/login (laravel-auth0) for guard-based auth with auto-registered routes.
26SKILL.mdUpdated Jun 4, 2026
auth0/auth0-laravel-api
tools
VerifiedTrustedCommunity
Use when securing Laravel API endpoints with JWT Bearer token validation, scope/permission checks, or stateless auth - integrates auth0/login (laravel-auth0) with the AuthorizationGuard for REST APIs receiving access tokens from SPAs, mobile apps, or other clients. Triggers on: Laravel API auth, auth0.authorizer, AuthorizationGuard, Laravel JWT, stateless Bearer.
26SKILL.mdUpdated Jun 4, 2026
auth0/auth0-flutter-web
development
VerifiedTrustedCommunity
Use when adding Auth0 authentication to a Flutter web application — integrates the auth0_flutter SDK (web platform) for browser-based authentication using redirect login, popup login, and credential caching.
26SKILL.mdUpdated Jun 4, 2026
auth0/auth0-flutter-native
development
VerifiedTrustedCommunity
Use when adding Auth0 authentication to a Flutter mobile application (iOS/Android) — integrates the auth0_flutter SDK (native platform) for Web Auth login/logout via the system browser, with secure credential storage and biometric protection through the CredentialsManager.
26SKILL.mdUpdated Jun 4, 2026