Private Cloud Guardian: Customizable MFA Factors


This article clarifies whether it is possible to limit the type of MFA methods that Guardian offers to Tenant Admins.

This might be desired in the context of migrating from legacy Duo MFA exception to Guardian MFA, but the following methods should not be enabled for the Tenant Admins:

  • Push notifications using the Auth0 Guardian app or SDK.
  • Text messages or voice calls containing a verification code.
  • Email messages containing a verification code.

Other use cases that imply the limitation of the MFA methods are not excluded.

Applies To

  • Private Cloud Guardian
  • Guardian MFA
  • MFA Factors


The list of factors is not currently customizable in Private Cloud. It might be possible in the future through Auth0 Teams, but for now, this capability does not exist.

For the moment, only the following factors are allowed:

  • WebAuthn with FIDO Security Keys;
  • WebAuthn with FIDO Device Biometrics;
  • One-time Password (using Google Authenticator or similar);
  • Recovery Code.