> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-actions-triggers-reorg.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> Learn how to enable Adaptive MFA for low confidence logins based on Auth0's risk assessment and overall confidence scores.

# Enable Adaptive MFA

<Card title="Before you start">
  * Subscribe to an Enterprise Plan with the Adaptive MFA addon. Refer to [Auth0 Pricing](https://auth0.com/pricing/) for details.
  * Configure and enable a Database or Active Directory connection.
  * Configure and enable at least one MFA factor.
</Card>

Use <Tooltip tip="Adaptive Multi-factor Authentication: Multi-factor authentication (MFA) that is only triggered for users when an attempted login is determined to be a low confidence login." cta="View Glossary" href="/docs/glossary?term=Adaptive+MFA">Adaptive MFA</Tooltip> to trigger <Tooltip tip="Adaptive Multi-factor Authentication: Multi-factor authentication (MFA) that is only triggered for users when an attempted login is determined to be a low confidence login." cta="View Glossary" href="/docs/glossary?term=MFA">MFA</Tooltip> when Auth0 determines that an attempted login is risky and to record risk assessments for all login transactions in your tenant logs.

## Enable Adaptive MFA

You can enable Adaptive MFA in the <Tooltip tip="Auth0 Dashboard: Auth0's main product to configure your services." cta="View Glossary" href="/docs/glossary?term=Auth0+Dashboard">Auth0 Dashboard</Tooltip> or with the Auth0 <Tooltip tip="Auth0 Dashboard: Auth0's main product to configure your services." cta="View Glossary" href="/docs/glossary?term=Management+API">Management API</Tooltip>.

<Tabs>
  <Tab title="Dashboard">
    1. Go to [**Dashboard > Security > Multi-factor Auth**](https://manage.auth0.com/#/security/mfa).

    <Frame>
      <img src="https://mintcdn.com/docs-dev-actions-triggers-reorg/xf2VtLvVE75-w4nf/docs/images/cdy7uua7fh8z/4IlQi0LXOPJdYjOuo09xtE/944ce27c115cb43133aac78d9b6b7886/MFA_Factors_-_English.png?fit=max&auto=format&n=xf2VtLvVE75-w4nf&q=85&s=492da554cc802f125adccfe1f503ae65" alt="Auth0 Dashboard Security Multi-factor Auth Adaptive MFA Policy" width="839" height="1076" data-path="docs/images/cdy7uua7fh8z/4IlQi0LXOPJdYjOuo09xtE/944ce27c115cb43133aac78d9b6b7886/MFA_Factors_-_English.png" />
    </Frame>

    2. In the **Factors** section, enable and configure at least one MFA Factor. To learn more, read [Multi-Factor Authentication Factors](/docs/secure/multi-factor-authentication/multi-factor-authentication-factors).

    3. In the **Define policies** section, locate **Require Multi-factor Auth**, and then select **Use Adaptive MFA**. Risk assessment will automatically be enabled and recorded in your tenant logs.

    4. In the **Device Trust Duration** field, set the number of days a device remains trusted before the user needs to authenticate with MFA. The default timeframe is 30 days, but you may increase or decrease the number of challenges for your users.

           <Warning>
             Auth0 customers are responsible for any diminishment in security posture resulting from changing the device remembrance time period to a period longer than Okta's standard recommended setup.
           </Warning>

       * You can set the trusted device duration between 1 and 365 days.
       * If you modify the duration, the new duration value is applied to your users' device the next time they log in.

    5. Select **Save**.

    <Callout icon="file-lines" color="#0EA5E9" iconType="regular">
      If you are using the [Identifier First Authentication](/docs/authenticate/login/auth0-universal-login/identifier-first) factor `email`, you must update email attributes in [Dashboard > Database Connections > Authentication Methods](https://manage.auth0.com/#/connections/database). On the Email Configuration tab, ensure the email attribute is active. Then, set **Allow Signup to Required** and enable **Require** email on user profile.

      <Frame>
        <img src="https://mintcdn.com/docs-dev-actions-triggers-reorg/2-Eh_BXqipbh00dm/docs/images/cdy7uua7fh8z/ql7yYX1GnJaiPQnjQQBTs/7ce5b2a51be21e4b3b6dc65b97b4b3eb/Email_Config_-_English.png?fit=max&auto=format&n=2-Eh_BXqipbh00dm&q=85&s=9208a0dc30be5d7c7a23672144b94e3e" alt="Auth0 Dashboard > Authentication > Database Connections > Authentication Methods" data-og-width="532" width="532" data-og-height="829" height="829" data-path="docs/images/cdy7uua7fh8z/ql7yYX1GnJaiPQnjQQBTs/7ce5b2a51be21e4b3b6dc65b97b4b3eb/Email_Config_-_English.png" data-optimize="true" data-opv="3" srcset="https://mintcdn.com/docs-dev-actions-triggers-reorg/2-Eh_BXqipbh00dm/docs/images/cdy7uua7fh8z/ql7yYX1GnJaiPQnjQQBTs/7ce5b2a51be21e4b3b6dc65b97b4b3eb/Email_Config_-_English.png?w=280&fit=max&auto=format&n=2-Eh_BXqipbh00dm&q=85&s=95c82b5992699647973a9cf4d9c846b5 280w, https://mintcdn.com/docs-dev-actions-triggers-reorg/2-Eh_BXqipbh00dm/docs/images/cdy7uua7fh8z/ql7yYX1GnJaiPQnjQQBTs/7ce5b2a51be21e4b3b6dc65b97b4b3eb/Email_Config_-_English.png?w=560&fit=max&auto=format&n=2-Eh_BXqipbh00dm&q=85&s=f6a2ad0028e54a959428e42c2f84f60b 560w, https://mintcdn.com/docs-dev-actions-triggers-reorg/2-Eh_BXqipbh00dm/docs/images/cdy7uua7fh8z/ql7yYX1GnJaiPQnjQQBTs/7ce5b2a51be21e4b3b6dc65b97b4b3eb/Email_Config_-_English.png?w=840&fit=max&auto=format&n=2-Eh_BXqipbh00dm&q=85&s=db3962025db3da1b2faf23e2882c454a 840w, https://mintcdn.com/docs-dev-actions-triggers-reorg/2-Eh_BXqipbh00dm/docs/images/cdy7uua7fh8z/ql7yYX1GnJaiPQnjQQBTs/7ce5b2a51be21e4b3b6dc65b97b4b3eb/Email_Config_-_English.png?w=1100&fit=max&auto=format&n=2-Eh_BXqipbh00dm&q=85&s=7319f30c2495bd0c3a7f19329e730281 1100w, https://mintcdn.com/docs-dev-actions-triggers-reorg/2-Eh_BXqipbh00dm/docs/images/cdy7uua7fh8z/ql7yYX1GnJaiPQnjQQBTs/7ce5b2a51be21e4b3b6dc65b97b4b3eb/Email_Config_-_English.png?w=1650&fit=max&auto=format&n=2-Eh_BXqipbh00dm&q=85&s=bf4761c0359816f84bb18acc7be2b239 1650w, https://mintcdn.com/docs-dev-actions-triggers-reorg/2-Eh_BXqipbh00dm/docs/images/cdy7uua7fh8z/ql7yYX1GnJaiPQnjQQBTs/7ce5b2a51be21e4b3b6dc65b97b4b3eb/Email_Config_-_English.png?w=2500&fit=max&auto=format&n=2-Eh_BXqipbh00dm&q=85&s=0d5c78511ceb26f1d12616e8092d8b4f 2500w" />
      </Frame>
    </Callout>
  </Tab>

  <Tab title="Management API">
    1. Get a [Management API access token](/docs/secure/tokens/access-tokens/management-api-access-tokens/get-management-api-access-tokens-for-production) with the `update:mfa_policies` scope.

    2. Call the Management API [Set the multi-factor authentication policies](https://auth0.com/docs/api/management/v2/guardian/put-policies) endpoint with the appropriate payload.

    3. If you want to change the **Device Trust Duration** from the default 30 days, call the [Update New Device Accessor](https://auth0.com/docs/api/management/v2/risk-assessments/patch-new-device). You need to add the following scopes to your Management API access token:
       * `read:attack_protection`
       * `update:attack_protection`
           <Warning>
             Auth0 customers are responsible for any diminishment in security posture resulting from changing the device remembrance time period to a period longer than Okta's standard recommended setup.
           </Warning>
  </Tab>
</Tabs>

## Enable Adaptive MFA Risk Assessment

If you aren't ready to enable Adaptive MFA, but want to start training it to analyze login behavior, you can enable Adaptive MFA Risk Assessment independently.

1. Go to [Dashboard > Security > Multi-factor Auth](https://manage.auth0.com/#/security/mfa).
2. Locate the **Define policies** section.
3. In **MFA Risk Assessors**, select **Enable Adaptive MFA Risk Assessment**.
4. Select **Save**.

## Customize Adaptive MFA

You can customize the behavior of Adaptive MFA to provide the best experience for your users while ensuring security. To learn more, read [Customize Adaptive MFA](/docs/secure/multi-factor-authentication/adaptive-mfa/customize-adaptive-mfa).

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  Actions that trigger MFA take precedence over default Adaptive MFA behavior.
</Callout>

## Limitations

Assessment information in tenant logs is only available for interactive flows. Auth0 does not support recording assessment information for <Tooltip tip="Resource Owner: Entity (such as a user or application) capable of granting access to a protected resource." cta="View Glossary" href="/docs/glossary?term=Resource+Owner">Resource Owner</Tooltip> Password Grant (ROPG) flows without adaptive MFA enabled. For more information about authentication flow limitations, read [Adaptive MFA](/docs/secure/multi-factor-authentication/adaptive-mfa).

## Learn more

* [Customize Adaptive MFA](/docs/secure/multi-factor-authentication/adaptive-mfa/customize-adaptive-mfa)
* [Adaptive MFA Log Events](/docs/secure/multi-factor-authentication/adaptive-mfa/adaptive-mfa-log-events)
* [Multi-Factor Authentication Factors](/docs/secure/multi-factor-authentication/multi-factor-authentication-factors)
