Auth0 supports combining passwordless authentication with multifactor authentication (MFA) via the MFA API. While standard documentation covers the Resource Owner Password Credentials Grant (ROPG) flow, Auth0 also supports the passwordless flow. The process involves initiating passwordless authentication, verifying the one-time password (OTP) to obtain an MFA token, enrolling the authenticator, and completing the MFA challenge.

• Auth0
• Passwordless Authentication
• Multi-Factor Authentication (MFA) API

How is passwordless authentication combined with the MFA API?

To use passwordless authentication combined with multifactor authentication via the MFA API, initiate the passwordless flow, verify the one-time password (OTP), enroll the authenticator, and complete the challenge.

1. Initiate passwordless authentication by sending a POST request to the [/passwordless/start](Get Code or Link) endpoint using the following command. 

   curl -L -g 'https://<tenant_domain>/passwordless/start' \
   -H 'Content-Type: application/json' \
   -d '{"client_id":"<client_id>","client_secret":"<client_secret>","connection":"sms","phone_number":"<phone_number>","send":"code"}'

2. Verify the OTP and obtain the MFA token by sending a POST request to the [/oauth/token](Authenticate User) endpoint using the following command. Set the audience parameter to the tenant's MFA API endpoint to prompt Auth0 to return an mfa_token in the response. This token chain uses passwordless authentication as the first factor, with MFA as the second.

   curl -L -g 'https://<tenant_domain>/oauth/token' \
   -H 'Content-Type: application/json' \
   -d '{"grant_type":"http://auth0.com/oauth/grant-type/passwordless/otp","client_id":"<client_id>","client_secret":"<client_secret>","otp":"<otp_code>","realm":"sms","username":"<username>","audience":"https://<tenant_domain>/mfa/","scope":"openid profile email","redirect_uri":"<redirect_uri>"}'

3. Enroll the MFA authenticator by sending a POST request to the [/mfa/associate](Enroll and Challenge SMS and Voice Authenticators) endpoint using the following command.

   curl --request POST \
     --url 'https://<tenant_domain>/mfa/associate' \
     --header 'authorization: Bearer <mfa_token>' \
     --header 'content-type: application/json' \
     --data '{ "authenticator_types": ["oob"], "oob_channels": ["sms"], "phone_number": "<phone_number>" }'

4. Complete the MFA challenge by sending a POST request to the [/oauth/token](Enroll and Challenge SMS and Voice Authenticators) endpoint using the following command.

     curl --request POST \
     --url 'https://<tenant_domain>/oauth/token' \
     --header 'authorization: Bearer <mfa_token>' \
     --header 'content-type: application/x-www-form-urlencoded' \
     --data grant_type=http://auth0.com/oauth/grant-type/mfa-oob \
     --data 'client_id=<client_id>' \
     --data 'client_secret=<client_secret>' \
     --data 'mfa_token=<mfa_token>' \
     --data 'oob_code=<oob_code>' \
     --data 'binding_code=<otp_code>'