Google Authenticator MFA

I’m trying to add MFA via Google Authenticator to a single-page web app, as well as iOS and Android mobile clients. All 3 of these are using the Lock login. When a user logs into the web app for the first time, a QR code appears that can then be scanned. If a user logs into the mobile app for the first time, no QR code is shown.

My question is, how are users supposed to enroll when using mobile? Obviously showing a QR code on mobile wouldn’t make sense, unless you had another device to scan it. Is there a way to programmatically open the Google Auth app and auto-enroll the user or something?

Help is appreciated!

Would something like this work?
Edit: It should at least on Android

The Google Auth source code?

Obviously showing a QR code on mobile wouldn’t make sense, unless you had another device to scan it.

There is a link “Trouble scanning” that allows to enter the code manually into the authenticator…

… on the next page, when clicked:

Thanks for the reply. That QR code does not show up with Lock embedded login on mobile, it just goes straight to the ‘Enter your one-time code’ screen.

Ok I see, it’s the embedded Lock, not the Lock inside the Auth0 hosted page (so you’re not redirecting to Auth0 hosted page).
In this case, you could use the Authentication API regarding MFA https://auth0.com/docs/api/authentication#add-an-authenticator

Is there a way to programmatically open the Google Auth app and auto-enroll the user or something?

From a quick Google search, I don’t think it’s possible (i.e. on Android), as there’s no respective Intent available yet (at least, it’s an open issue for the Google Authenticator on Android).

No. If I understood correctly that you want to enroll user with a new MFA and add the key to the authenticator automatically thene read the linked wiki page about Key Uri Format. With that you are able to create an uri that client can open (or autoredirect the client). Opening that uri will open Google Authenticator app automatically and ask user if he/she wants to add your key.

I created a simple web page to demonstrate this. Open it with a mobile device with installed Google Authenticator app. There is a link that should open Google Authenticator for you and ask for adding the key. It uses the same example uri found from the wiki: otpauth://totp/Example:alice@google.com?secret=JBSWY3DPEHPK3PXP&issuer=Example

I verified this, works with at least Android 9 and Google Authenticator version 5. I don’t have iOS device to test this on it.

@alexander.elo considering this URI that you provided (otpauth://totp/Example:alice@google.com?secret=JBSWY3DPEHPK3PXP&issuer=Example), is there a way to change the issuer parameter somewhere in Auth0 ?

If I’m not mistaken it’s currently using the name of your Auth0 Tenant. Inside our company we have different applications we need to support and as it turns out the Google Authenticator does not allow you to change the name (check out Cannot rename entries in iOS authenticator app )

If we could control the issuer parameter on the otpauth URI that is generated by Auth0, we could create a more meaningful entry name for the end user.

Makes sense?