Enable SMS for MFA Using Auth0 and Twilio
Published on August 23, 2022In this lab, you will:
- Define an MFA Factor using a phone message.
- Define, apply, and test an MFA policy.
- Use Twilio to deliver MFA codes via SMS.
What is MFA?
When you configure Multi-Factor Authentication (MFA) to use SMS as an authentication factor, Auth0 will send your users a code via SMS as part of the authentication process. Your users will have to enter that code in a login form to complete the login transaction. This interaction implies that your users can prove their digital identity by providing:
- Something they know: your users know their login credentials.
- Something they own: your users have the device that they have registered to use with MFA.
MFA with Twilio
Auth0 has built-in support for sending messages through Twilio, a popular customer engagement platform. Auth0 can use Twilio to deliver MFA verification code via text messages as part of your user login flow.
When you use Twilio with Auth0, you can customize the message content depending on the user or the application that triggered the login transaction. You can also add custom logic before sending a message to a user.
Lab Setup
Required hardware
You need a mobile phone with SMS service to complete this lab and valid phone number to activate your Twilio account.
Create an Auth0 Account
If you already have an Auth0 account, you can log in to your tenant and continue to the next step.
Otherwise, sign up for a free Auth0 account.
During the sign-up process, you create something called an Auth0 Tenant, representing the product or service to which you are adding authentication.
Create an Account with Twilio
Visit "Try Twilio" to get started with a free Twilio account. Twilio does not require you to provide any credit card information to try their services.
Be ready to have a valid phone number to verify your Twilio account. You may need to answer some quick questions as part of the sign-up process with Twilio.
Access the Twilio Console
Once you create a Twilio account and log in, you'll see the Twilio Console. You'll use the Twilio Console to manage your Twilio account and any applications that you decide to connect with Twilio services.
For this exercise, you'll need to locate your Twilio Account String Identifier (SID) and your Twilio Auth Token, which you'll use later to configure MFA with Auth0.
You can locate the Account SID and the Auth Token within the "Account Info" box of your Twilio Console.
Safeguard your Account SID and Auth Token as they are credentials that Twilio uses to determine which Twilio account should receive incoming API requests. The Account SID acts as a username and the Auth Token acts as a password. As such, never give out your Auth Token to anyone or expose it to the public.
To send an SMS using Twilio, you'll need either a Twilio Messaging Service SID or a Twilio Phone Number. A Twilio Phone Number is a virtual yet standard telephone number that is not locked down to a physical phone. For simplicity, you'll use a Twilio Phone Number to send your MFA SMS codes.
Check the official documentation from Twilio to "Get your first Twilio phone number". Upon success, you'll see a message confirming that Twilio has assigned you a phone number. Your Twilio Phone Number is listed under the "Account Info" section of the Twilio Console.
Define an MFA Factor
For this exercise, you'll configure the "Phone Message" factor by following these steps:
- Head to the Auth0 Dashboard.
- Locate the "Security" section on the left-hand menu. Under this section, click the "Multi-factor Auth" sub-section.
- Click the "Phone Message" option under the "Factors" list to open its configuration page.
Now, let's explore in detail how you can configure this factor.
Configure your delivery provider
The "Phone Message" factor is disabled by default if you are using a new tenant. To enable it, click the toggle button in the upper-right corner. The toggle button should turn green.
You may see a message that your plan includes 100 SMS codes. That limit is acceptable for trying out this feature. However, you'll configure an SMS delivery provider like Twilio to remove that limit in production.
Locate the "Configure your delivery provider" and select "Twilio" as your delivery provider, which allows you to use your Twilio account to deliver SMS messages for MFA. For simplicity, keep the default delivery method, "SMS".
Configure your Twilio delivery provider
Right below the delivery method selection, you'll see two fields to enter your Twilio Account SID and Twilio Auth Token. Copy and paste those values from your Twilio Console into the corresponding field.
Select your "SMS Source". Depending on your selection, you'll need to enter your "Twilio Messaging Service SID" or a "From" phone number. Your users will see what you enter as the sender of the SMS.
Select the "Use From" to use your Twilio phone number for simplicity. Copy and paste your Twilio Phone Number from the Twilio Console into the "From" field.
You'll see the "Enrollment Template" and "Verification Template" fields below this field, which you can use to customize the message your users get when they enroll a new device for MFA and when they log in after MFA enrollment. You can leave the default value for both of these fields.
Complete the factor configuration
Finally, click the "Save" button at the end of the page to complete configuring the "Phone Message" factor.
You have effectively set up Twilio as an SMS delivery provider.
Define an MFA Policy
Once you have configured your MFA factor, scroll to the top of the page and click the "Back to Multi-factor Authentication" link.
Once you are back on the "Multi-factor Authentication" page, scroll past the "Factors" section and locate the "Define policies" section. Recall that an MFA policy determines when Auth0 will prompt your users to provide additional authentication factors to log in successfully. You must define a policy to enforce MFA in your applications.
Looking at the "Require Multi-factor Auth", you'll notice that "Never" is the default selection. This selection means that Auth0 will never require users to authenticate using an additional factor for any application registered under your Auth0 tenant.
For this exercise, select "Always" to always require an additional authentication factor to log in. Then, click the "Save" button.
Did you get a warning about enabling MFA?
You may see a modal warning you about the possible consequences of always requiring MFA:
All new and existing users who are not enrolled in Multi-factor Authentication will be required to enroll using one of the enabled factors the next time they log in. This will apply across all applications within your tenant.
If it shows up, click the "Continue" button.
Test Your MFA Strategy with Twilio SMS
Use the Auth0 Dashboard to log in
Instructions
- Visit the Auth0 Dashboard home page.
- Locate the "Try your Login box" under the "Next Steps" section.
- Click the "Try it out" link.
- Log in using any of the available login options.
Expected results
The Auth0 Universal Login page should prompt you to use two authentication factors to complete your login—or sign-up:
- If you sign up, you need to provide...
- Something you know: You must create a username/password combination or use a social login provider like Google (if you have enabled that feature in your Auth0 tenant).
- Something you have: You'll have to enroll your phone number for MFA.
- If you log in, you need to provide...
- Something you know: You must use a username/password combination or a social login provider like Google.
- Something you have: You'll have to enter an SMS code that Auth0 has sent through Twilio to your phone number.
Recap
You have effectively set up MFA SMS with Twilio, reducing the likelihood of many cyber-attacks. It's common for third parties to steal usernames and passwords or programmatically attack user accounts. An additional MFA factor, such as an SMS code, impedes these violations, protecting the data and privacy of your users.