WebAuthn for accessing the Auth0 Dashboard with MFA

WebAuthn with Security Keys and Device Biometrics are available for Dashboard users to access the Auth0 Dashboard using multi-factor authentication.

Starting today, you can add WebAuthn with Security Keys and WebAuthn with Device Biometrics as new multi-factor authentication methods to log in to our management Dashboard, in addition to the currently supported Guardian, OTP, and SMS factors.

WebAuthn combines maximum security with a low-friction user experience. We encourage you to add another layer of protection to your account by enabling them in your Account Settings page.

This notification applies to the account you use to log in to Auth0 and manage your tenants in our Dashboard. Please refer to our documentation for how to enable MFA and WebAuthn for your end-users to log in to your own Applications.

Background

The Web Authentication API (also known as WebAuthn) is a specification written by W3C and FIDO, with the participation of Google, Mozilla, Microsoft, Yubico, and others. The API allows users to be authenticated using public-key cryptography.

WebAuthn is the most secure and usable authentication method on the web. Some key reasons for this are:

  • It minimizes login friction. A simple and familiar gesture lets users authenticate.
  • It’s the only web authentication method that is phishing resistant.
  • It’s standard-based and implemented across browsers and operating systems

WebAuthn lets users authenticate with two types of authenticators, and both are enabled for Dashboard users:

  • Roaming authenticators (WebAuthn with FIDO Security Keys) are removable and cross-platform, like a Yubikey, and can be used on multiple devices. To authenticate with a roaming authenticator, you need to connect it to the device (through USB, NFC, or Bluetooth) and provide proof of presence (by touching it, for example).
  • Platform authenticators (WebAuthn with FIDO Device Biometrics) are attached to a device and only work on that device. Some examples are MacBook’s TouchBar, Windows Hello, iOS Touch/FaceId, and Android’s fingerprint/face recognition. Since they only work on that device, we require at least one other factor enrolled in your profile before enrolling Device Biometrics.

What changed?

We’ve added two new options for enrolling MFA factors for Dashboard users WebAuthn with FIDO Security Keys and WebAuthn with FIDO Device Biometrics, in addition to the existing ones: Guardian (push notifications), OTP (Google Authenticator or similar), and SMS.

All Auth0 users can opt-in to use MFA to log in to our Dashboard and are encouraged to do so and enroll multiple devices. Doing so allows you to authenticate to Auth0 with another device if you lose your primary authenticator device. You can manage your devices from the Account Settings page.

You can read more about configuring MFA for Dashboard users in our Docs.

How does this affect me?

If you have MFA enabled for your Auth0 account (in your Account Settings - not for end-users of your applications), the next time you log in to Auth0 from a device that supports WebAuthn with Device Biometrics, you will be asked to enroll the device for a faster login.

If you don’t yet have MFA enabled, no immediate action is required. However, we recommend enabling MFA from your Account Settings page and making sure multiple factors are enrolled.

We highly recommend WebAuthn (either with FIDO Security Keys, Device Biometrics, or both) as the preferred method. It is considered the most secure factor and the one with less friction in the user experience.

While it is important to enable MFA for additional protection of your account, notice that it also requires further responsibility for making sure you do not lose access. Adding one or two security keys in addition to Push or OTP is strongly recommended. If you are locked out, and none of your enabled MFA factors are available for you, there is no guarantee that you can regain access to your account, as we may not be able to confirm ownership of it.

2 Likes

This is great news!

What about custom integrations? Universal Login experience is pretty cool when you use Auth0 to manage authentication of entreprise service grade services it has this feeling of “pro” authentication solution.

However it’s not very end user friendly let’s say for e-commerce or e-tourism use cases.
So do you have a public roadmap about the rollout of a public Auth0 API to enroll devices through WebAuthN?

Hi @shouze,

Is your question about using WebAuthn for MFA for end users? This update is for logging into the Auth0 Dashboard as an Auth0 tenant admin, however, you can find more info about end-user passwordless authentication with WebAuthn here: Configure WebAuthn with Device Biometrics for Passwordless Authentication

Let me know if that is what you are looking for. Thanks!