Dashboard Admins that opt-in to enable MFA for accessing the Auth0 Dashboard with an extra layer of security can now enroll additional factors to prevent being locked out of their account in case they lose their primary device.
Background
Auth0 recommends that MFA is enabled for Dashboard Admins to protect their accounts. However, by enabling MFA, admins take the risk of being locked out of their accounts in the case they lose access to their second factor device and the automatically-generated Recovery Code. While they can contact Auth0 Support in that case, there is no guarantee the account can be recovered.
What changed?
We’ve added the option to enroll multiple MFA methods for Dashboard Admins, and the ability to regenerate the recovery code.
The following factors can be configured from the Profile page, and we highly recommend to enroll at least 2 of them and as many as possible:
-
Guardian (push notifications)
-
OTP (Google Authenticator or similar)
-
SMS (up to 2 numbers)
Please make sure your Recovery Code is stored in a secure place, like a password manager. If you haven’t done so already, you can regenerate your Recovery Code to store it now.
How does this affect me?
If you have MFA enabled for your Auth0 account (in your Admin profile - not for end users of your applications), please update your profile to enroll additional factors and make sure you safely store your recovery code. This will reduce the chances of losing access to your account in the future.
If you don’t yet have MFA enabled, no immediate action is required. However, we recommend that you enable MFA from your Profile page and make sure multiple factors are enrolled.
While it is important to enable MFA for additional protection of your account, notice that it also requires further responsibility for making sure you do not lose access.
Adding one or two phone numbers for SMS in addition to Push or OTP factors, as well as storing the backup code, is strongly recommended.
If you are locked out and none of your enabled MFA factors are available for you, there is no guarantee that you can regain access to your account, as we may not be able to confirm ownership of it.