Signup+login with SMS MFA on iOs


Hi ,
We would like to implement custom UI in our iOS app for user onboarding. We would like to have something in the lines of

func signup(email: String, password: String) {
        .createUser(email: email,
                    username: nil,
                    password: password,
                    connection: "Username-Password-Authentication",
                    userMetadata: nil)
        .start { [weak self] result in
            switch result {
            case .success(let user):
                print("Signup success: \(user)")
                self?.login(user: user, password: password)
            case .failure(let error):
                print("Signup failed: \(error)")

func login(user: DatabaseUser, password: String) {
        .login(usernameOrEmail: user.username ??,
               password: password,
               realm: "Username-Password-Authentication",
               audience: "fleet-dev-api",
               scope: "openid offline_access profile email",
               parameters: nil)
        .start { result in
            switch result {
            case .success(let credentials):
                print("Login successful: \(credentials)")
            case .failure(let error as AuthenticationError):
                if error.isMultifactorRequired {
                    // Request phone number and SMS
                } else {
                    print("Login failed: \(error)")
            case .failure(let error):
                print("Login failed: \(error)")

In the commented line for requesting the user’s phone number, there’s no way (that we can find) to provide to Auth0 the user’s phone number so that we can trigger an MFA SMS being sent. We get an MFA token with that error, but we can’t work out how to use it. We’ve spent hours combing through the documentation but it’s really unclear how to do this natively using custom UI, everything assumes that we’re using the web authenticator.

can you please advice, and/or provide a working example.

Hey @yuval !

Unfortunately, getting phone numbers of your users automatically is not available at the moment. Here’s the link to a potential workaround. It will definitely require some UI and UX tweaks to make it appealing to your users but should solve your case.

Hope it helps!

Hi Konrad,
Thanks for the reply.
It looks like I was unclear with my question.
Assuming that we already have the user’s phone number, what endpoint (or preferably function in the Auth0 iOS SDK) can we use in order to trigger an SMS being sent to the user? We’re trying to build the MFA flow natively but we don’t know the endpoints to use.

Sure, no problem! Totally got your usecase! Here’s the step by step guide on how to setup multifactor authentication using SMS:

Let me know if that helps!

Hi Konrad,
I’m working with Yuval on this task and we’re still trying to work out how to move forward for our iOS app.
To enable 2-step authentication with SMS, it seems like we have 2 options:

  1. Use the Guardian SDK to make it the receiver of MFA requests. This doesn’t seem like the right thing for an end user app, right?
  2. Integrate Twilio ourselves to perform the 2-step authentication. That also doesn’t seem right, it feels like we’d be circumnavigating the Auth0 process for that.

Can you please let us know what is the right process? We’re incredible lost and we can’t find our way through the documentation.

Thanks for your help!

Hey @guy!

Yep your right, none of them seems to be perfect in your scenario. I’ve discussed it with our developer support engineers and basically the core thing about invoking MFA is that it’s not possible to invoke MFA without invoking Auth0 authentication - which you’ve done but the MFA is triggered via rules which always execute after successful authentication. Here are a couple of links that will potentially guide you to final solution

Let me know if that helps!

Hey @konrad.sopala ,

Thanks for your help, we managed to work it out in the end!

It was a bit hard to work out the full flow. If there was some diagram to show, for example, needing to call mfa/challenge and then, if the user has no authenticator, call mfa/associate, and so on. Even though all the information is there in the documentation such a thing would make it easier to conceptualise.

Thanks again.

1 Like

Gotchya! It’s actually a very helpful feedback, can you share it using our feedback site so we can add it to our roadmap?

Here’s the feedback site:

Thanks for that!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.