Auth0 Home Blog Docs

MFA with custom login


I am trying to incorporate MFA (specifically oob) into my custom login page app.

I am currently using the auth0.js SDK for login which works great.

It returns me mfa_required response 403 and the mfa_token.

I have read numerous tutorials and tried for days now to call /mfa/challenge with no luck and only get 401 Unauthorized errors.

I have run out of options can someone please point me in the right direction? Thanks!

Hi @wesley.litton,

Welcome and thank you for posting in Auth0 Community!

If you have an access token with the enroll scope and the audience set to https://YOUR_DOMAIN/mfa/ you can use the Access Token as the mfa_token to call the /oauth/token` endpoint.

  1. Call the /mfa/associate endpoint with the Access Token in the Security header.
  2. Call the /oauth/token endpoint with
  • mfa_token - Access token you used to call /mfa/associate endpoint.
  • oob_code - Received in step 1.
  • binding_code - Verification code received in the SMS.

This allows you to enroll the new number with the user profile.

Also, make sure to send client_secret in the second /oauth/token call with the verification code, and also remove the binding_method (if you have it) field as well?

Let me know how it goes. If you require any further assistance, please let me know. I will do my best to assist you.