auth0-mfa
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseAuth0 MFA Guide
Auth0 MFA 指南
Add Multi-Factor Authentication to protect user accounts and require additional verification for sensitive operations.
添加多因素认证以保护用户账户,并对敏感操作要求额外验证。
Overview
概述
What is MFA?
什么是MFA?
Multi-Factor Authentication (MFA) requires users to provide two or more verification factors to access their accounts. Auth0 supports multiple MFA factors and enables step-up authentication for sensitive operations.
多因素认证(MFA)要求用户提供两种或以上验证方式才能访问账户。Auth0支持多种MFA验证方式,并可为敏感操作启用进阶认证。
When to Use This Skill
何时使用该技能
- Adding MFA to protect user accounts
- Requiring additional verification for sensitive actions (payments, settings changes)
- Implementing adaptive/risk-based authentication
- Meeting compliance requirements (PCI-DSS, SOC2, HIPAA)
- 添加MFA以保护用户账户
- 对敏感操作(如支付、设置修改)要求额外验证
- 实现自适应/风险导向型认证
- 满足合规要求(PCI-DSS、SOC2、HIPAA)
MFA Factors Supported
支持的MFA验证方式
| Factor | Type | Description |
|---|---|---|
| TOTP | Something you have | Time-based one-time passwords (Google Authenticator, Authy) |
| SMS | Something you have | One-time codes via text message |
| Something you have | One-time codes via email | |
| Push | Something you have | Push notifications via Auth0 Guardian app |
| WebAuthn | Something you have/are | Security keys, biometrics, passkeys |
| Voice | Something you have | One-time codes via phone call |
| Recovery Code | Backup | One-time use recovery codes |
| 验证方式 | 类型 | 描述 |
|---|---|---|
| TOTP | 你拥有的设备 | 基于时间的一次性密码(如Google Authenticator、Authy) |
| SMS | 你拥有的设备 | 通过短信发送的一次性验证码 |
| 你拥有的设备 | 通过邮件发送的一次性验证码 | |
| Push | 你拥有的设备 | 通过Auth0 Guardian应用发送的推送通知 |
| WebAuthn | 你拥有的设备/生物特征 | 安全密钥、生物识别、Passkey |
| Voice | 你拥有的设备 | 通过电话语音发送的一次性验证码 |
| Recovery Code | 备用验证 | 一次性使用的恢复验证码 |
Key Concepts
核心概念
| Concept | Description |
|---|---|
| Request MFA during authentication |
| Authentication Methods Reference - indicates how user authenticated |
| Step-up auth | Require MFA for specific actions after initial login |
| Adaptive MFA | Conditionally require MFA based on risk signals |
| 概念 | 描述 |
|---|---|
| 在认证过程中请求MFA |
| 认证方式参考——标识用户的认证方式 |
| 进阶认证 | 首次登录后,对特定敏感操作要求MFA |
| 自适应MFA | 根据风险信号有条件地要求MFA |
Step 1: Enable MFA in Tenant
步骤1:在租户中启用MFA
Via Auth0 Dashboard
通过Auth0控制台
- Go to Security → Multi-factor Auth
- Enable desired factors (TOTP, SMS, etc.)
- Configure Policies:
- Always - Require MFA for all logins
- Adaptive - Risk-based MFA
- Never - Disable MFA (use step-up instead)
- 进入 Security → Multi-factor Auth(安全 → 多因素认证)
- 启用所需的验证方式(如TOTP、SMS等)
- 配置 策略:
- Always(始终)——所有登录都要求MFA
- Adaptive(自适应)——基于风险的MFA
- Never(从不)——禁用MFA(改用进阶认证)
Via Auth0 CLI
通过Auth0 CLI
bash
undefinedbash
undefinedView current MFA configuration
查看当前MFA配置
auth0 api get "guardian/factors"
auth0 api get "guardian/factors"
Enable TOTP (One-time Password)
启用TOTP(一次性密码)
auth0 api put "guardian/factors/otp" --data '{"enabled": true}'
auth0 api put "guardian/factors/otp" --data '{"enabled": true}'
Enable SMS
启用SMS
auth0 api put "guardian/factors/sms" --data '{"enabled": true}'
auth0 api put "guardian/factors/sms" --data '{"enabled": true}'
Enable Push notifications
启用推送通知
auth0 api put "guardian/factors/push-notification" --data '{"enabled": true}'
auth0 api put "guardian/factors/push-notification" --data '{"enabled": true}'
Enable WebAuthn (Roaming - Security Keys)
启用WebAuthn(漫游式 - 安全密钥)
auth0 api put "guardian/factors/webauthn-roaming" --data '{"enabled": true}'
auth0 api put "guardian/factors/webauthn-roaming" --data '{"enabled": true}'
Enable WebAuthn (Platform - Biometrics)
启用WebAuthn(平台式 - 生物识别)
auth0 api put "guardian/factors/webauthn-platform" --data '{"enabled": true}'
auth0 api put "guardian/factors/webauthn-platform" --data '{"enabled": true}'
Enable Email
启用Email
auth0 api put "guardian/factors/email" --data '{"enabled": true}'
undefinedauth0 api put "guardian/factors/email" --data '{"enabled": true}'
undefinedConfigure MFA Policy
配置MFA策略
bash
undefinedbash
undefinedSet MFA policy: "all-applications" or "confidence-score"
设置MFA策略:"all-applications" 或 "confidence-score"
auth0 api patch "guardian/policies" --data '["all-applications"]'
---auth0 api patch "guardian/policies" --data '["all-applications"]'
---Step 2: Implement Step-Up Authentication
步骤2:实现进阶认证
Step-up auth requires MFA for sensitive operations without requiring it for every login.
进阶认证无需每次登录都要求MFA,仅对敏感操作要求MFA验证。
The acr_values
Parameter
acr_valuesacr_values
参数
acr_valuesRequest MFA by including in your authorization request:
acr_valuesacr_values=http://schemas.openid.net/pape/policies/2007/06/multi-factor通过在授权请求中包含来请求MFA:
acr_valuesacr_values=http://schemas.openid.net/pape/policies/2007/06/multi-factorImplementation Pattern
实现模式
The general pattern for all frameworks:
- Check if user has already completed MFA (inspect claim)
amr - If not, request MFA via parameter
acr_values - Proceed with sensitive action once MFA is verified
For complete framework-specific examples, see Examples Guide:
- React (basic and custom hook)
- Next.js (App Router)
- Vue.js
- Angular
适用于所有框架的通用模式:
- 检查用户是否已完成MFA(查看声明)
amr - 如果未完成,通过参数请求MFA
acr_values - 验证MFA通过后,再执行敏感操作
如需完整的框架特定示例,请查看示例指南:
- React(基础版和自定义Hook)
- Next.js(App Router)
- Vue.js
- Angular
Additional Resources
额外资源
This skill is split into multiple files for better organization:
为了更好地组织内容,该技能被拆分为多个文件:
Step-Up Examples
进阶认证示例
Complete code examples for all frameworks:
- React (basic and custom hook patterns)
- Next.js (App Router with API routes)
- Vue.js (composition API)
- Angular (services and components)
包含所有框架的完整代码示例:
- React(基础版和自定义Hook模式)
- Next.js(带API路由的App Router)
- Vue.js(组合式API)
- Angular(服务和组件)
Backend Validation
后端验证
Learn how to validate MFA status on your backend:
- Node.js / Express JWT validation
- Python / Flask validation
- Middleware examples
学习如何在后端验证MFA状态:
- Node.js / Express JWT验证
- Python / Flask验证
- 中间件示例
Advanced Topics
高级主题
Advanced MFA implementation patterns:
- Adaptive MFA with Auth0 Actions
- Conditional MFA based on risk signals
- MFA Enrollment API
高级MFA实现模式:
- 结合Auth0 Actions的自适应MFA
- 基于风险信号的条件式MFA
- MFA注册API
Reference Guide
参考指南
Common patterns and troubleshooting:
- Remember MFA for 30 days
- MFA for high-value transactions
- MFA status display
- Error handling
- AMR claim values
- Testing strategies
- Security considerations
常见模式与故障排除:
- 记住MFA状态30天
- 高价值交易的MFA验证
- MFA状态展示
- 错误处理
- AMR声明值
- 测试策略
- 安全注意事项
Related Skills
相关技能
- - Basic Auth0 setup
auth0-quickstart - - WebAuthn/passkey implementation
auth0-passkeys - - Custom authentication logic
auth0-actions
- - 基础Auth0设置
auth0-quickstart - - WebAuthn/Passkey实现
auth0-passkeys - - 自定义认证逻辑
auth0-actions