Auth0 Support Center - How to Enroll a User in Both Google Authenticator and SMS with MFA API

How to Enroll a User in Both Google Authenticator and SMS with MFA API

Feb 20, 2026

Overview

This article provides a guide on how to programmatically enroll a user in multiple Multi-Factor Authentication (MFA) methods, specifically Time-based One-Time Password (TOTP) and SMS, using the Auth0 MFA API. The process requires enrolling each factor individually.

Applies To

Multi-Factor Authentication (MFA) API
Time-based One-Time Password (TOTP)
SMS Factor

Solution

To enroll a user in both TOTP (e.g., Google Authenticator) and SMS, each factor must be enrolled in a separate, sequential flow. The API does not support enrolling multiple factors in a single request.

Prerequisites:

In the Auth0 Dashboard, navigate to Security > Multi-factor Auth and ensure both the Phone Message and One-time Password factors are enabled.

Flow 1: Enroll the SMS Factor

Request an MFA Token: Authenticate the user to obtain an mfa_token.
- In order to generate this token, an audience of https://{YOUR_DOMAIN}/mfa/ with the enroll scope must be passed with the request to /authorize the user.
- The user will then log in/authenticate, including authentication of their existing primary MFA factor.
- An access token will be returned with the MFA API identifier in the aud array.
- This access token will be used as the MFA_API token
Associate the SMS Factor: Make a POST request to /mfa/associate with the mfa_token and specify oob (Out-of-Band) as the authenticator type, providing the user's phone number.
- Endpoint: POST /mfa/associate
- Body:
```
{
  "mfa_token": "YOUR_MFA_TOKEN",
  "authenticator_types": ["oob"],
  "oob_channels": "sms",
  "phone_number": "+15555551234"
}
```
Confirm the Enrollment: The user will receive an SMS with a code. Make a POST request to /oauth/token using the http://auth0.com/oauth/grant-type/mfa-oob grant type and include the mfa_token and the oob_code from the SMS.

Flow 2: Enroll the TOTP Factor

After the first factor is enrolled, a subsequent login will be required to enroll the second factor.

Request a New MFA Token: When the user logs in again, they will be prompted to authenticate with their already-enrolled SMS factor. After successful authentication, a new mfa_token will be issued.
Associate the TOTP Factor: Make a POST request to /mfa/associate with the new mfa_token and specify otp as the authenticator type.
- Endpoint: POST /mfa/associate
- Body:
```
{
  "mfa_token": "YOUR_NEW_MFA_TOKEN",
  "authenticator_types": ["otp"]
}
```
- The response will contain a barcode_uri and a secret for the user to add to their authenticator app.
Confirm the Enrollment: The user enters the code from their authenticator app. Make a POST request to /oauth/token using the http://auth0.com/oauth/grant-type/mfa-otp grant type and include the mfa_token and the otp code to finalize the enrollment.

After completing both flows, the user will be enrolled in both SMS and TOTP and can choose which factor to use for future logins.