Personalized Multifactor Authentication Prompts via Auth0

Question

Pulumi · Accepted Answer

Multifactor Authentication (MFA) is an essential component of modern web security. It provides an additional layer of security by requiring two or more verification factors to authenticate a user's identity. These factors can include something the user knows (like a password), something the user has (like a smartphone), and something the user is (like a fingerprint).

To personalize MFA prompts using Auth0, you'll generally need to configure the Auth0 tenant, add branding, set up MFA policies (like push notifications or OTPs), and potentially write custom actions to handle specific authentication flows.

In the following Pulumi program written in Python, we will:

Create an Auth0 Tenant: This represents your isolated instance of Auth0 where all your configurations and settings live.
Customize Branding: Define the appearance of your authentication UI.
Configure Guardian MFA: This is Auth0's multifactor service known as Guardian. We'll set it up for push notifications and OTPs.

Here's a Pulumi program using the pulumi-auth0 provider:

import pulumi
import pulumi_auth0 as auth0

# Tenant configuration (Specify your tenant details)
tenant = auth0.Tenant("my-tenant",
    # Change password page customization
    change_password=auth0.TenantChangePasswordArgs(
        enabled=True,
        html="<html>Change Password</html>",
    ),
    # Customization of the Guardian MFA page
    guardian_mfa_page=auth0.TenantGuardianMfaPageArgs(
        enabled=True,
        html="<html>MFA Page</html>",
    ),
    # Session and cookie settings (Adjust according to your security policies)
    session_lifetime=60,  # Session lifetime in minutes
    idle_session_lifetime=30,  # Idle session lifetime in minutes
)

# Branding customization (Specify your branding details)
branding = auth0.Branding("my-branding",
    colors=auth0.BrandingColorsArgs(
        primary="#0000FF",  # Primary color for your branding
        page_background="#FFFFFF",  # Background color for your pages
    ),
    logo_url="https://example.com/logo.png",  # URL of your logo
)

# Guardian MFA settings
guardian = auth0.Guardian("my-guardian",
    policy="all-applications",  # MFA is required for all applications
    phone=auth0.GuardianPhoneArgs(
        enabled=True,  # Enable MFA via phone
        message_types=["sms", "voice"],  # Types of messages for MFA
    ),
    push=auth0.GuardianPushArgs(
        enabled=True,  # Enable push notifications for MFA
        provider="sns",  # Use SNS as the push notification provider
        amazon_sns=auth0.GuardianPushAmazonSnsArgs(
            aws_access_key_id="YOUR_AWS_ACCESS_KEY_ID_HERE",
            aws_secret_access_key="YOUR_AWS_SECRET_ACCESS_KEY_HERE",
            aws_region="us-west-2",
            sns_apns_platform_application_arn="YOUR_SNS_APNS_PLATFORM_APPLICATION_ARN_HERE",
            sns_gcm_platform_application_arn="YOUR_SNS_GCM_PLATFORM_APPLICATION_ARN_HERE",
        ),
    ),
    otp=True,  # Enable One Time Passwords for MFA
    recovery_code=True,  # Allow recovery code as a fallback
)

# Export the relevant URLs to access the branding and Guardian pages
pulumi.export('auth0_tenant_settings_url', tenant.default_redirection_uri)
pulumi.export('auth0_branding_url', branding.logo_url)
pulumi.export('auth0_guardian_mfa_url', pulumi.Output.concat('https://', tenant.default_directory, '.auth0.com/mfa'))

Explanation of Resources:

Auth0 Tenant: Your own isolated instance on Auth0 where your configurations and settings are managed. It centralizes the user details, login settings, and security policies.
Branding: It's crucial to provide a smooth and consistent brand experience during the authentication process. The Branding resource is used to customize the look and feel of your login pages, including colors, logos, and background styles.
Guardian: Auth0 Guardian is a feature for MFA that facilitates the way users perform authentication. In the configuration, the policy field determines which applications will require MFA, and the settings for phone, push, and otp determine how MFA is received and confirmed by the user.

Expanding the Program:

This is a basic setup. You might want to expand it to include custom rules, actions or more sophisticated branding based on your needs. Use additional resources from the pulumi_auth0 package to add these elements. Also, ensure you replace placeholder credentials with secure and relevant values suitable for your setup.

Ensure you have the Pulumi CLI installed and configured, as well as credentials for both Pulumi and Auth0 set up in your environment to apply this program. Once executed, Pulumi will provision the resources described above in your Auth0 account.