Skip to main content
To use Adaptive MFA, you must have an Enterprise Plan with the Adaptive MFA addon. Refer to Auth0 Pricing for details.
is a flexible, extensible policy that can help you protect your tenant from without increasing friction for real users. It assesses potential risk during every login transaction, and then prompts the user for additional verification if appropriate.

How it works

During a login transaction, Adaptive MFA calculates an overall confidence score based on analysis of three risk assessments: When Adaptive MFA determines the overall confidence score is low (that the login transaction is high-risk), it requires the user to verify their identity with MFA. If the user is not enrolled in MFA, they are required to complete additional verification before they are eligible to do so. Adaptive MFA includes a comprehensive security flow that ensures the authenticity of users:
Auth0 Login Adaptive multi-factor authentication flow diagram
Adaptive MFA ignores any and all existing MFA sessions (for example, a user selected Remember this browser during a previous MFA flow), and does not allow users to bypass MFA challenges.

Customize Adaptive MFA

You can use Actions to customize the MFA flow and provide the best experience for your users. To learn more about risk assessments, confidence scores, and customization options, read Customize Adaptive MFA.

Support and limitations

Authorization flows

Adaptive MFA is supported by all authentication and that start with the end user. To learn more about the different flows and protocols, read Authentication and Authorization Flows and Protocols. *Adaptive MFA is not supported for -initiated flows, but you can simulate the flow with OIDC applications. To learn more, read Configure IdP-Initiated SAML Sign-on to OIDC Apps.

Social connections

Adaptive MFA is fully supported for social connection types where an email address is available for each user. Adaptive MFA requires an email address to complete the email challenge step that occurs when a user is not enrolled in MFA. If an email address is not available, Adaptive MFA cannot perform the email challenge and the transaction will be blocked. This scenario does not introduce a security risk, but it does limit the functionality of the feature. If you’ve set up a social connection, and expect an email address to be available but it’s not, verify your configuration and confirm that the correct scopes, claims, and permissions are being requested. To learn more about supported social connections and how to install them, read Social Connections on Auth0 Marketplace.

Auth0 features

The following table lists Auth0 implementations and their functionality with Adaptive MFA:

Learn more