This article clarifies whether Client-Initiated Backchannel Authentication (CIBA) can be implemented without the Auth0 Guardian App and outlines the available verification methods.

• Client-Initiated Backchannel Authentication (CIBA)

CIBA can be implemented with or without requiring the Auth0 Guardian App. Specifically, One-Time Password (OTP) codes can be utilized as the verification method within the CIBA flow. The following methods are available:

Mobile Push Notifications

This is the standard out-of-band authentication method for CIBA.

• • Auth0 Guardian App: The standard implementation where the user approves the request via the official app.

  • Guardian SDK: If requiring customers to download the Auth0 Guardian App is not desired, the notification functionality can be embedded into a custom mobile application using the Guardian SDK.

Email Notifications

If a mobile app solution is not feasible, CIBA can be configured to use email.

• • Flow: The user receives an email containing a link to initiate a web-based authentication flow.

  • Requirement: The Email Notification capability for CIBA generally requires a specific add-on SKU to the Auth0 subscription.