Wanting an advice for device detection on general authentication flow

Get Help
, ,
1

Dear Community members.

We are have implemented login flow with password and MFA via SMS by using the Auth0.
And to achieve better security, we would like to add another func and having some problem…
Could somebody help us to resolve the issue below.

Background:
Normally, we let users login with one mobile device. (Smart phone, tablet and so on)
And if user is trying to login with another device, we would like to ask user if s/he accepts the login on it.

It is something like the login flow of Apple ID, like, when user is trying to login with new device, notification is sent to another Apple device s/he owns, then ask if the login is conducted by him/herself
and allow him/her to login once s/he accepts it.

Problem

We would like to achieve this by some additional operations on our server side after login completed.
However, once the authentication is done, the access token and refresh token is sent to device via http and it can be easily intercepted by some network monitoring tools on device, I guess.

So, if possible, we would like to achieve it on the Authentication flow happening on Auth0 login page.

Could somebody give us some advice to achieve it??

3

Hi @sohei_c,

Welcome to the Community!

It sounds like MFA might be what you are looking for. You can find resources about MFA and read about how to implement it with Auth0 here:
https://auth0.com/docs/mfa

4

Hi @stephanie.chamblee !
Thanks for your reply!!!

I found Auth0 Guadian here.
I guess this is what you mean here???

5

Yes, that’s right! You can use guardian or another method if you wish such as SMS.

6

Thanks @stephanie.chamblee !!!
This looks super nice.

Can this method be used with SMS MFA?
We would like to use

  • email
  • SMS
  • Guardian
    to protect user’s data.

Can the several options of MFA be used for the authentication??

7

Yes, you can enable multiple types of MFA options.

I don’t know what type of plan you have, but I realized that I forgot to let you know that built-in MFA is supported in the Developer Pro plan: MFA Free Plan Limit - #5 by dan.woda

Just wanted to give you a heads up! Thank you.

8

Thanks @stephanie.chamblee !!
Great, then should be no problem with using the Guardian.
We are already using the Production plan, so should be no. problem with using it!

I really appreciate your cooperation and thankful to the informations!!! :slight_smile: