Auth0 Guardian

Overview

Auth0 Guardian is a component of the Auth0 identity management platform, specifically engineered to deliver multi-factor authentication (MFA) capabilities. It provides a mechanism to add an extra layer of security beyond traditional username and password combinations, which is a recommended practice for protecting user accounts against unauthorized access by industry standards. Guardian facilitates this through a mobile application that users install on their devices, enabling push notifications for login approvals and the generation of one-time passcodes (OTPs).

The system is designed for developers who need to integrate strong authentication methods into their applications without building the underlying infrastructure. It supports various authentication factors, including push notifications for a frictionless user experience and time-based one-time passwords (TOTP) for broader compatibility. Developers can configure Guardian as part of their Auth0 authentication flows, allowing for a customizable approach to how and when MFA is prompted for users. This includes setting up policies based on user groups, device context, or application type.

Auth0 Guardian targets a broad audience, from small startups to large enterprises, aiming to enhance the security posture of their applications. It is particularly suitable for organizations that prioritize developer experience, offering extensive documentation and SDKs for integration across different platforms and frameworks. The platform's flexibility allows for its deployment in various scenarios, such as securing customer-facing applications (B2C), business applications (B2B), and machine-to-machine interactions. By offloading the complexity of MFA implementation, Auth0 Guardian allows development teams to focus on core application features while maintaining compliance with security standards like ISO 27001 and PCI DSS.

Beyond its core MFA functionalities, Auth0 Guardian is part of a larger identity platform that includes features like Universal Login, B2B Authentication, and Authorization, providing a comprehensive solution for identity management. The integration of Guardian into these services means that developers can manage authentication and authorization policies from a centralized dashboard, simplifying the operational overhead of securing multiple applications and user bases.

Key features

• Push Notifications: Delivers real-time login requests directly to a user's registered mobile device for one-tap approval or denial.
• One-Time Passcodes (OTPs): Generates time-based one-time passcodes (TOTP) that users can input manually as a second factor, compatible with standard authenticator apps.
• Biometric Authentication: Supports integration with device-native biometrics (e.g., fingerprint, facial recognition) for an additional layer of security on mobile devices.
• Customizable MFA Policies: Allows administrators to define rules for when MFA is required, such as for specific applications, user roles, or based on risk signals.
• Device Management: Provides capabilities to manage and revoke registered devices used for multi-factor authentication.
• Developer-Friendly SDKs: Offers client libraries and APIs for integration with various programming languages and platforms, simplifying implementation.
• Centralized Management: Configured and managed through the Auth0 Dashboard, providing a unified interface for all authentication-related services.
• Offline Mode Support: Enables OTP generation even when the user's mobile device lacks an internet connection.

Pricing

Auth0 offers a free tier for developers and small projects, with paid plans structured around active users and included features. As of May 2026, the pricing details are summarized below:

For detailed and up-to-date pricing information, including volume discounts and feature breakdowns, refer to the Auth0 pricing page.

Common integrations

• Web and Mobile Applications: Auth0 Guardian integrates directly with applications built using various frameworks like React, Angular, Vue.js, iOS, Android, and others via Auth0's SDKs. A common integration pattern involves using Auth0's Universal Login to present the MFA challenge.
• Single Sign-On (SSO) Systems: Works with Auth0's broader SSO capabilities, allowing users to authenticate once and access multiple applications with Guardian providing the second factor.
• Identity Providers: Integrates with enterprise identity providers such as Active Directory, Azure AD, and Okta, extending MFA capabilities to existing user directories.
• API Gateways: Can be integrated with API gateways like Kong Gateway or AWS API Gateway to secure API access with MFA challenges.
• CRM and ERP Systems: Enhances security for access to systems like Salesforce or SAP by requiring MFA during login processes managed by Auth0.
• Cloud Platforms: Integrates with cloud platforms like AWS, Google Cloud, and Azure for securing access to cloud resources or applications deployed on these platforms.
• Developer Tools: Works with developer tools and CI/CD pipelines where access control benefits from stronger authentication.

Alternatives

• Okta: A comprehensive identity platform offering advanced MFA, adaptive authentication, and extensive enterprise integrations.
• Firebase Authentication: Google's backend-as-a-service offering, providing email/password, social, and phone number authentication with MFA capabilities for mobile and web apps.
• Amazon Cognito: AWS's solution for managing user identities, authentication, and authorization, including MFA support for mobile and web applications.
• Twilio Verify: Focuses on programmatic verification services, primarily for phone and email, used for MFA and other verification flows.
• Microsoft Azure AD MFA: Microsoft's cloud-based MFA service for securing access to Azure AD resources and integrated applications.

Getting started

To integrate Auth0 Guardian for multi-factor authentication, you typically begin by configuring MFA within your Auth0 tenant and then enabling Guardian as an MFA factor. The following JavaScript example demonstrates how a client-side application might initiate an authentication flow that triggers MFA:

// Example using Auth0's JavaScript SDK to log in a user and trigger MFA if configured

import { Auth0Client } from '@auth0/auth0-spa-js';

const auth0 = new Auth0Client({
  domain: 'YOUR_AUTH0_DOMAIN',
  clientId: 'YOUR_AUTH0_CLIENT_ID',
  redirect_uri: window.location.origin
});

async function login() {
  try {
    await auth0.loginWithRedirect({
      appState: { targetUrl: window.location.pathname },
    });
  } catch (err) {
    console.error("Login failed", err);
  }
}

async function handleRedirectCallback() {
  if (window.location.search.includes('code=') && window.location.search.includes('state=')) {
    try {
      const { appState } = await auth0.handleRedirectCallback();
      window.history.replaceState({}, document.title, appState?.targetUrl || '/');
      // After successful login, if MFA is enabled and required, Auth0 will handle the prompt.
      // For Auth0 Guardian, this typically involves a push notification to the user's registered device.
      const user = await auth0.getUser();
      console.log("User logged in:", user);
    } catch (err) {
      console.error("Error handling redirect callback", err);
    }
  }
}

// Call handleRedirectCallback on page load to process the authentication result
window.addEventListener('load', handleRedirectCallback);

// Example button click to trigger login
document.getElementById('loginButton').addEventListener('click', login);

Before running this code, ensure you have initialized your Auth0 tenant, created an application, and enabled Auth0 Guardian as an MFA factor in your Auth0 Dashboard under Security > Multi-factor Auth > Guardian. Users will need to download and register the Auth0 Guardian app on their mobile device to receive push notifications or generate OTPs.