Articles

Set Up SMS and Authenticator App MFA in Auth0 (2026)

April 16, 2026 4 min read

Auth0’s MFA, especially with SMS and Authenticator Apps, isn’t just an extra security layer; it’s a dynamic gatekeeper that allows any user to access any resource, but only if they can prove they’re that user, right now.

Let’s see it in action. Imagine a user, Alice, trying to log into your app.

First, she enters her username and password. Auth0 verifies these. Then, the magic happens:

  1. Auth0 triggers MFA: Based on your rules, Auth0 determines Alice needs a second factor.
  2. MFA Method Selection: Alice has previously enrolled both her phone number for SMS and an authenticator app (like Google Authenticator or Authy). She chooses SMS.
  3. SMS Code Sent: Auth0 sends a one-time code (e.g., 741952) to Alice’s registered phone number.
  4. User Enters Code: Alice receives the SMS, types 741952 into the login prompt.
  5. Code Verified: Auth0 checks the code against the one it generated.
  6. Access Granted: If correct, Alice is logged in.

If she’d chosen the authenticator app, Auth0 would prompt her to enter the current 6-digit code displayed in her app (which changes every 30-60 seconds).

This isn’t just about checking a box; it’s about verifying possession (the phone or app) and knowledge (the password).

The Problem MFA Solves: Passwords alone are notoriously weak. They can be guessed, phished, or stolen. MFA introduces a second, independent verification step, making it significantly harder for an unauthorized person to gain access, even if they have the user’s password.

How it Works Internally: When you configure MFA in Auth0, you’re essentially setting up a policy. This policy dictates when MFA is required. Common triggers include:

  • First Login: For new users, or users accessing a sensitive application for the first time.
  • Login from New Device/Location: If a user logs in from an IP address or device Auth0 hasn’t seen before.
  • Sensitive Action: After authentication, if the user attempts to perform a critical operation (e.g., change profile, initiate a transaction).

Once triggered, Auth0 checks the user’s enrolled factors. If SMS and/or an authenticator app are available, it presents these options. The user’s selection and subsequent verification (code entry) are then processed by Auth0’s authentication engine. The entire flow is managed by Auth0’s Universal Login pages or your custom-built login experience.

Levers You Control:

  • MFA Policies: In the Auth0 Dashboard, under "Security" -> "Multi-factor Authentication," you define the rules. You can set it to "Required," "Optional," or "Adaptive."
    • Required: Every login attempt will require MFA.
    • Optional: Users can choose to enable MFA for themselves.
    • Adaptive: This is where the real power lies. You can set up rules based on factors like IP address, user’s country, device, or even risk level. For example, "Require MFA if the user is logging in from outside North America."
  • MFA Factors: You enable or disable specific MFA methods. For SMS, you’ll need to configure an SMS gateway (e.g., Twilio) in Auth0 under "Security" -> "Multi-factor Authentication" -> "SMS." For Authenticator Apps, this is usually enabled by default.
  • Enrollment Flow: You dictate how users enroll. This can be part of the initial signup, a post-login prompt, or initiated manually by the user.
  • User Experience: You can customize the Universal Login pages to brand the MFA prompts and provide clear instructions.

Here’s a snippet of what an Adaptive MFA rule might look like in Auth0’s Rule editor (using JavaScript):

function (user, context, callback) {
  // Require MFA for users logging in from outside the US and Canada
  if (context.connection.ip_country &&
      context.connection.ip_country !== 'US' &&
      context.connection.ip_country !== 'CA') {
    // User needs to perform MFA
    context.multifactor.enable();
    context.multifactor.addFactor({
      name: 'token_ PUSH', // Example, you'd use SMS or APP
      request: {
        /* your configuration */
      }
    });
    context.multifactor.returnTo = context.request.original_url;
  }
  callback(null, user, context);
}

The context.multifactor.enable() call is the key that tells Auth0, "Hey, this user needs a second factor for this login." You can then add specific addFactor configurations to guide which methods are prioritized or allowed.

The one thing most people don’t realize is that the order in which you define your MFA factors within an Adaptive rule, or the specific addFactor configurations, can subtly influence the user’s experience. If a user has both SMS and an authenticator app, Auth0 will typically present the first enrolled or prioritized factor as the default option. For example, if your rule prioritizes SMS, the user will see the "Send code via SMS" option as the primary choice, even if they have an authenticator app set up. This can be a point of friction if users prefer their authenticator app but are defaulted to SMS.

Once MFA is successfully configured and enforced, the next hurdle you’ll likely encounter is managing user enrollment and recovery processes.

Want structured learning?

Take the full Auth0 course →