We are have implemented login flow with password and MFA via SMS by using the Auth0.
And to achieve better security, we would like to add another func and having some problem…
Could somebody help us to resolve the issue below.
Background:
Normally, we let users login with one mobile device. (Smart phone, tablet and so on)
And if user is trying to login with another device, we would like to ask user if s/he accepts the login on it.
It is something like the login flow of Apple ID, like, when user is trying to login with new device, notification is sent to another Apple device s/he owns, then ask if the login is conducted by him/herself
and allow him/her to login once s/he accepts it.
Problem
We would like to achieve this by some additional operations on our server side after login completed.
However, once the authentication is done, the access token and refresh token is sent to device via http and it can be easily intercepted by some network monitoring tools on device, I guess.
So, if possible, we would like to achieve it on the Authentication flow happening on Auth0 login page.
Could somebody give us some advice to achieve it??
It sounds like MFA might be what you are looking for. You can find resources about MFA and read about how to implement it with Auth0 here: https://auth0.com/docs/mfa
Yes, you can enable multiple types of MFA options.
I don’t know what type of plan you have, but I realized that I forgot to let you know that built-in MFA is supported in the Developer Pro plan: MFA Free Plan Limit - #5 by dan.woda
Thanks @stephanie.chamblee !!
Great, then should be no problem with using the Guardian.
We are already using the Production plan, so should be no. problem with using it!
I really appreciate your cooperation and thankful to the informations!!!
