Auth0 provides a built-in enrollment and authentication flow using Universal Login. However, if you want to create your own user interface, you can use the MFA API to accomplish it.

Prerequisites

Before you can use the MFA APIs, you’ll need to enable the MFA grant type for your application. Go to Auth0 Dashboard > Applications > Advanced Settings > Grant Types and select MFA.

Enroll with SMS or voice

Get MFA token

Depending on when you are triggering enrollment, you can obtain an for using the MFA API in different ways:

Enroll authenticator

Make a POST request to the MFA Associate endpoint to enroll the user’s authenticator. The bearer token required by this endpoint is the MFA token obtained in the previous step. To enroll with SMS or voice, they enroll with a phone number that can be challenged either with SMS or voice. Specific the parameters below to call the endpoint. The oob_channels parameter indicates how you want to send the code to the user (SMS or voice). 
curl --request POST \
  --url 'https://{yourDomain}/mfa/associate' \
  --header 'authorization: Bearer {mfaToken}' \
  --header 'content-type: application/json' \
  --data '{ "authenticator_types": ["oob"], "oob_channels": ["sms"], "phone_number": "+11...9" }'
ParameterValue
authentication_types[oob]
oob_channels[sms] or [voice]
phone_number+11…9, the phone number E.164 format
If successful, you receive a response like this: 
{
  "authenticator_type": "oob",
  "binding_method": "prompt",
  "recovery_codes": [ "N3BGPZZWJ85JLCNPZBDW6QXC" ],
  "oob_channel": "sms",
  "oob_code": "ata6daXAiOi..."
}
`
If you get a User is already enrolled error, the user already has an MFA factor enrolled. Before associating another factor with the user, you must challenge the user with the existing factor. If this is the first time the user is associating an authenticator, you’ll notice the response includes recovery_codes. Recovery codes are used to access the user’s account in the event that they lose access to the account or device used for their second-factor authentication. These are one-time usable codes, and new ones are generated as necessary.

Confirm SMS or voice enrollment

Users should receive a message with a 6-digit code that they need to provide to the application. To complete enrollment, make a POST request to the . You need to include the oob_code returned in the previous response, and the binding_code with the value received in the message. 
curl --request POST \
  --url 'https://{yourDomain}/oauth/token' \
  --header 'authorization: Bearer {mfaToken}' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data grant_type=http://auth0.com/oauth/grant-type/mfa-oob \
  --data 'client_id={yourClientId}' \
  --data 'client_secret={yourClientSecret}' \
  --data 'mfa_token={mfaToken}' \
  --data 'oob_code={oobCode}' \
  --data 'binding_code={userOtpCode}'
If the call was successful, you’ll receive a response in the following format, containing the access token: 
{
  "id_token": "eyJ...i",
  "access_token": "eyJ...i",
  "expires_in": 600,
  "scope": "openid profile",
  "token_type": "Bearer"
}

Challenge with SMS or voice

Get MFA token

Get an MFA token following the steps described in Authenticate With Resource Owner Password Grant and MFA.

Retrieve enrolled authenticators

To challenge the user, you need the authenticator_id for the factor you want to challenge. You can list all enrolled authenticators using the MFA Authenticators endpoint: 
curl --request GET \
  --url 'https://{yourDomain}/mfa/authenticators' \
  --header 'authorization: Bearer MFA_TOKEN' \
  --header 'content-type: application/json'
You will get a list of authenticators with the following format: 
[
    {
        "id": "recovery-code|dev_O4KYL4FtcLAVRsCl",
        "authenticator_type": "recovery-code",
        "active": true
    },
    {
        "id": "sms|dev_NU1Ofuw3Cw0XCt5x",
        "authenticator_type": "oob",
        "active": true,
        "oob_channel": "sms",
        "name": "XXXXXXXX8730"
    },
        {
        "id": "voice|dev_NU1Ofuw3Cw0XCt5x",
        "authenticator_type": "oob",
        "active": true,
        "oob_channel": "voice",
        "name": "XXXXXXXX8730"
    }
]

Challenge user with OTP

To trigger a challenge, POST to the MFA Challenge endpoint using the corresponding authenticator_id and the mfa_token. 
curl --request POST \
  --url 'https://{yourDomain}/mfa/challenge' \
  --header 'content-type: application/json' \
  --data '{ "client_id": "{yourClientId}",  "client_secret": "{yourClientSecret}", "challenge_type": "oob", "authenticator_id": "sms|dev_NU1Ofuw3Cw0XCt5x", "mfa_token": "{mfaToken}" }'

Complete authentication using received code

If success, you receive the following response: 
{
  "challenge_type": "oob",
  "oob_code": "asdae35fdt5...",
  "binding_method": "prompt"
}
Your application needs to prompt the user for the 6-digit code sent in the message and should be set in the binding_code parameter. You can verify the code and get authentication tokens using the OAuth0 Token endpoint, specifying the binding_code and oob_code returned by the previous call: 
curl --request POST \
  --url 'https://{yourDomain}/oauth/token' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data grant_type=http://auth0.com/oauth/grant-type/mfa-oob \
  --data 'client_id={yourClientId}' \
  --data 'client_secret={yourClientSecret}' \
  --data 'mfa_token={mfaToken}' \
  --data 'oob_code={oobCode}' \
  --data binding_code=USER_OTP_CODE
If the call was successful, you’ll receive a response in the format below, containing the access token: 
{
  "id_token": "eyJ...i",
  "access_token": "eyJ...i",
  "expires_in": 600,
  "scope": "openid profile",
  "token_type": "Bearer"
}
Note: SMS and invalid code returns are subject to rate limiting. SMS codes can be sent 10 times and refill once per hour, while invalid codes can be returned 10 times and refill once every six minutes.

Learn more