> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-docs-event-stream-action-templates.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> Learn how to enable Adaptive MFA for low confidence logins based on Auth0's risk assessment and overall confidence scores.

# Enable Adaptive MFA

<Card title="Before you start">
  * Subscribe to an Enterprise Plan with the Adaptive MFA addon. Refer to [Auth0 Pricing](https://auth0.com/pricing/) for details.
  * Configure and enable a Database or Active Directory connection.
  * Configure and enable at least one MFA factor.
</Card>

Use <Tooltip tip="Adaptive Multi-factor Authentication: Multi-factor authentication (MFA) that is only triggered for users when an attempted login is determined to be a low confidence login." cta="View Glossary" href="/docs/glossary?term=Adaptive+MFA">Adaptive MFA</Tooltip> to trigger <Tooltip tip="Adaptive Multi-factor Authentication: Multi-factor authentication (MFA) that is only triggered for users when an attempted login is determined to be a low confidence login." cta="View Glossary" href="/docs/glossary?term=MFA">MFA</Tooltip> when Auth0 determines that an attempted login is risky and to record risk assessments for all login transactions in your tenant logs.

## Enable Adaptive MFA

You can enable Adaptive MFA in the <Tooltip tip="Auth0 Dashboard: Auth0's main product to configure your services." cta="View Glossary" href="/docs/glossary?term=Auth0+Dashboard">Auth0 Dashboard</Tooltip> or with the Auth0 <Tooltip tip="Auth0 Dashboard: Auth0's main product to configure your services." cta="View Glossary" href="/docs/glossary?term=Management+API">Management API</Tooltip>.

<Tabs>
  <Tab title="Dashboard">
    1. Go to [**Dashboard > Security > Multi-factor Auth**](https://manage.auth0.com/#/security/mfa).

    <Frame>
      <img src="https://mintcdn.com/docs-dev-docs-event-stream-action-templates/RDh-UBFSkTEu_d9f/docs/images/cdy7uua7fh8z/4IlQi0LXOPJdYjOuo09xtE/944ce27c115cb43133aac78d9b6b7886/MFA_Factors_-_English.png?fit=max&auto=format&n=RDh-UBFSkTEu_d9f&q=85&s=d3f9f956fd6f4197f8738ab05ba579a7" alt="Auth0 Dashboard Security Multi-factor Auth Adaptive MFA Policy" width="839" height="1076" data-path="docs/images/cdy7uua7fh8z/4IlQi0LXOPJdYjOuo09xtE/944ce27c115cb43133aac78d9b6b7886/MFA_Factors_-_English.png" />
    </Frame>

    2. In the **Factors** section, enable and configure at least one MFA Factor. To learn more, read [Multi-Factor Authentication Factors](/docs/secure/multi-factor-authentication/multi-factor-authentication-factors).

    3. In the **Define policies** section, locate **Require Multi-factor Auth**, and then select **Use Adaptive MFA**. Risk assessment will automatically be enabled and recorded in your tenant logs.

    4. In the **Device Trust Duration** field, set the number of days a device remains trusted before the user needs to authenticate with MFA. The default timeframe is 30 days, but you may increase or decrease the number of challenges for your users.

           <Warning>
             Auth0 customers are responsible for any diminishment in security posture resulting from changing the device remembrance time period to a period longer than Okta's standard recommended setup.
           </Warning>

       * You can set the trusted device duration between 1 and 365 days.
       * If you modify the duration, the new duration value is applied to your users' device the next time they log in.

    5. Select **Save**.

    <Callout icon="file-lines" color="#0EA5E9" iconType="regular">
      If you are using the [Identifier First Authentication](/docs/authenticate/login/auth0-universal-login/identifier-first) factor `email`, you must update email attributes in [Dashboard > Database Connections > Authentication Methods](https://manage.auth0.com/#/connections/database). On the Email Configuration tab, ensure the email attribute is active. Then, set **Allow Signup to Required** and enable **Require** email on user profile.

      <Frame>
        <img src="https://mintcdn.com/docs-dev-docs-event-stream-action-templates/YlSGjDQ1BrChv4Jn/docs/images/cdy7uua7fh8z/ql7yYX1GnJaiPQnjQQBTs/7ce5b2a51be21e4b3b6dc65b97b4b3eb/Email_Config_-_English.png?fit=max&auto=format&n=YlSGjDQ1BrChv4Jn&q=85&s=d6caecc799051bcb34c15226f2c18e3a" alt="Auth0 Dashboard > Authentication > Database Connections > Authentication Methods" data-og-width="532" width="532" data-og-height="829" height="829" data-path="docs/images/cdy7uua7fh8z/ql7yYX1GnJaiPQnjQQBTs/7ce5b2a51be21e4b3b6dc65b97b4b3eb/Email_Config_-_English.png" data-optimize="true" data-opv="3" srcset="https://mintcdn.com/docs-dev-docs-event-stream-action-templates/YlSGjDQ1BrChv4Jn/docs/images/cdy7uua7fh8z/ql7yYX1GnJaiPQnjQQBTs/7ce5b2a51be21e4b3b6dc65b97b4b3eb/Email_Config_-_English.png?w=280&fit=max&auto=format&n=YlSGjDQ1BrChv4Jn&q=85&s=6e2fa868f6ae7fac0a88139eb3ba4b63 280w, https://mintcdn.com/docs-dev-docs-event-stream-action-templates/YlSGjDQ1BrChv4Jn/docs/images/cdy7uua7fh8z/ql7yYX1GnJaiPQnjQQBTs/7ce5b2a51be21e4b3b6dc65b97b4b3eb/Email_Config_-_English.png?w=560&fit=max&auto=format&n=YlSGjDQ1BrChv4Jn&q=85&s=72b92e59458752e6f1f73e4a95a2ec93 560w, https://mintcdn.com/docs-dev-docs-event-stream-action-templates/YlSGjDQ1BrChv4Jn/docs/images/cdy7uua7fh8z/ql7yYX1GnJaiPQnjQQBTs/7ce5b2a51be21e4b3b6dc65b97b4b3eb/Email_Config_-_English.png?w=840&fit=max&auto=format&n=YlSGjDQ1BrChv4Jn&q=85&s=75ecba4e6eb24700964be8bf4bb26f86 840w, https://mintcdn.com/docs-dev-docs-event-stream-action-templates/YlSGjDQ1BrChv4Jn/docs/images/cdy7uua7fh8z/ql7yYX1GnJaiPQnjQQBTs/7ce5b2a51be21e4b3b6dc65b97b4b3eb/Email_Config_-_English.png?w=1100&fit=max&auto=format&n=YlSGjDQ1BrChv4Jn&q=85&s=5b903418e81b8916bef2aec873f11bb5 1100w, https://mintcdn.com/docs-dev-docs-event-stream-action-templates/YlSGjDQ1BrChv4Jn/docs/images/cdy7uua7fh8z/ql7yYX1GnJaiPQnjQQBTs/7ce5b2a51be21e4b3b6dc65b97b4b3eb/Email_Config_-_English.png?w=1650&fit=max&auto=format&n=YlSGjDQ1BrChv4Jn&q=85&s=6713f11948acba8987b19cec1cd39f38 1650w, https://mintcdn.com/docs-dev-docs-event-stream-action-templates/YlSGjDQ1BrChv4Jn/docs/images/cdy7uua7fh8z/ql7yYX1GnJaiPQnjQQBTs/7ce5b2a51be21e4b3b6dc65b97b4b3eb/Email_Config_-_English.png?w=2500&fit=max&auto=format&n=YlSGjDQ1BrChv4Jn&q=85&s=781ab479044b2542ba4f2dc2c94f4526 2500w" />
      </Frame>
    </Callout>
  </Tab>

  <Tab title="Management API">
    1. Get a [Management API access token](/docs/secure/tokens/access-tokens/management-api-access-tokens/get-management-api-access-tokens-for-production) with the `update:mfa_policies` scope.

    2. Call the Management API [Set the multi-factor authentication policies](https://auth0.com/docs/api/management/v2/guardian/put-policies) endpoint with the appropriate payload.

    3. If you want to change the **Device Trust Duration** from the default 30 days, call the [Update New Device Accessor](https://auth0.com/docs/api/management/v2/risk-assessments/patch-new-device). You need to add the following scopes to your Management API access token:
       * `read:attack_protection`
       * `update:attack_protection`
           <Warning>
             Auth0 customers are responsible for any diminishment in security posture resulting from changing the device remembrance time period to a period longer than Okta's standard recommended setup.
           </Warning>
  </Tab>
</Tabs>

## Enable Adaptive MFA Risk Assessment

If you aren't ready to enable Adaptive MFA, but want to start training it to analyze login behavior, you can enable Adaptive MFA Risk Assessment independently.

1. Go to [Dashboard > Security > Multi-factor Auth](https://manage.auth0.com/#/security/mfa).
2. Locate the **Define policies** section.
3. In **MFA Risk Assessors**, select **Enable Adaptive MFA Risk Assessment**.
4. Select **Save**.

## Customize Adaptive MFA

You can customize the behavior of Adaptive MFA to provide the best experience for your users while ensuring security. To learn more, read [Customize Adaptive MFA](/docs/secure/multi-factor-authentication/adaptive-mfa/customize-adaptive-mfa).

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  Actions that trigger MFA take precedence over default Adaptive MFA behavior.
</Callout>

## Limitations

Assessment information in tenant logs is only available for interactive flows. Auth0 does not support recording assessment information for <Tooltip tip="Resource Owner: Entity (such as a user or application) capable of granting access to a protected resource." cta="View Glossary" href="/docs/glossary?term=Resource+Owner">Resource Owner</Tooltip> Password Grant (ROPG) flows without adaptive MFA enabled. For more information about authentication flow limitations, read [Adaptive MFA](/docs/secure/multi-factor-authentication/adaptive-mfa).

## Learn more

* [Customize Adaptive MFA](/docs/secure/multi-factor-authentication/adaptive-mfa/customize-adaptive-mfa)
* [Adaptive MFA Log Events](/docs/secure/multi-factor-authentication/adaptive-mfa/adaptive-mfa-log-events)
* [Multi-Factor Authentication Factors](/docs/secure/multi-factor-authentication/multi-factor-authentication-factors)