> ## Documentation Index
> Fetch the complete documentation index at: https://docs-staging-docs-event-stream-action-templates.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> Learn how to enable Adaptive MFA for low confidence logins based on Auth0's risk assessment and overall confidence scores.

# Enable Adaptive MFA

<Card title="Before you start">
  * Subscribe to an Enterprise Plan with the Adaptive MFA addon. Refer to [Auth0 Pricing](https://auth0.com/pricing/) for details.
  * Configure and enable a Database or Active Directory connection.
  * Configure and enable at least one MFA factor.
</Card>

Use <Tooltip tip="Adaptive Multi-factor Authentication: Multi-factor authentication (MFA) that is only triggered for users when an attempted login is determined to be a low confidence login." cta="View Glossary" href="/docs/glossary?term=Adaptive+MFA">Adaptive MFA</Tooltip> to trigger <Tooltip tip="Adaptive Multi-factor Authentication: Multi-factor authentication (MFA) that is only triggered for users when an attempted login is determined to be a low confidence login." cta="View Glossary" href="/docs/glossary?term=MFA">MFA</Tooltip> when Auth0 determines that an attempted login is risky and to record risk assessments for all login transactions in your tenant logs.

## Enable Adaptive MFA

You can enable Adaptive MFA in the <Tooltip tip="Auth0 Dashboard: Auth0's main product to configure your services." cta="View Glossary" href="/docs/glossary?term=Auth0+Dashboard">Auth0 Dashboard</Tooltip> or with the Auth0 <Tooltip tip="Auth0 Dashboard: Auth0's main product to configure your services." cta="View Glossary" href="/docs/glossary?term=Management+API">Management API</Tooltip>.

<Tabs>
  <Tab title="Dashboard">
    1. Go to [**Dashboard > Security > Multi-factor Auth**](https://manage.auth0.com/#/security/mfa).

    <Frame>
      <img src="https://mintcdn.com/docs-staging-docs-event-stream-action-templates/_f6VB3c5DFTi_7Uz/docs/images/cdy7uua7fh8z/4IlQi0LXOPJdYjOuo09xtE/944ce27c115cb43133aac78d9b6b7886/MFA_Factors_-_English.png?fit=max&auto=format&n=_f6VB3c5DFTi_7Uz&q=85&s=dd61efcc3648049fda2bf86ec8b1c0e8" alt="Auth0 Dashboard Security Multi-factor Auth Adaptive MFA Policy" width="839" height="1076" data-path="docs/images/cdy7uua7fh8z/4IlQi0LXOPJdYjOuo09xtE/944ce27c115cb43133aac78d9b6b7886/MFA_Factors_-_English.png" />
    </Frame>

    2. In the **Factors** section, enable and configure at least one MFA Factor. To learn more, read [Multi-Factor Authentication Factors](/docs/secure/multi-factor-authentication/multi-factor-authentication-factors).

    3. In the **Define policies** section, locate **Require Multi-factor Auth**, and then select **Use Adaptive MFA**. Risk assessment will automatically be enabled and recorded in your tenant logs.

    4. In the **Device Trust Duration** field, set the number of days a device remains trusted before the user needs to authenticate with MFA. The default timeframe is 30 days, but you may increase or decrease the number of challenges for your users.

           <Warning>
             Auth0 customers are responsible for any diminishment in security posture resulting from changing the device remembrance time period to a period longer than Okta's standard recommended setup.
           </Warning>

       * You can set the trusted device duration between 1 and 365 days.
       * If you modify the duration, the new duration value is applied to your users' device the next time they log in.

    5. Select **Save**.

    <Callout icon="file-lines" color="#0EA5E9" iconType="regular">
      If you are using the [Identifier First Authentication](/docs/authenticate/login/auth0-universal-login/identifier-first) factor `email`, you must update email attributes in [Dashboard > Database Connections > Authentication Methods](https://manage.auth0.com/#/connections/database). On the Email Configuration tab, ensure the email attribute is active. Then, set **Allow Signup to Required** and enable **Require** email on user profile.

      <Frame>
        <img src="https://mintcdn.com/docs-staging-docs-event-stream-action-templates/jbtV9m9RubSTfp8S/docs/images/cdy7uua7fh8z/ql7yYX1GnJaiPQnjQQBTs/7ce5b2a51be21e4b3b6dc65b97b4b3eb/Email_Config_-_English.png?fit=max&auto=format&n=jbtV9m9RubSTfp8S&q=85&s=833e9befdcbc46d4ba61650e0faaebe1" alt="Auth0 Dashboard > Authentication > Database Connections > Authentication Methods" data-og-width="532" width="532" data-og-height="829" height="829" data-path="docs/images/cdy7uua7fh8z/ql7yYX1GnJaiPQnjQQBTs/7ce5b2a51be21e4b3b6dc65b97b4b3eb/Email_Config_-_English.png" data-optimize="true" data-opv="3" srcset="https://mintcdn.com/docs-staging-docs-event-stream-action-templates/jbtV9m9RubSTfp8S/docs/images/cdy7uua7fh8z/ql7yYX1GnJaiPQnjQQBTs/7ce5b2a51be21e4b3b6dc65b97b4b3eb/Email_Config_-_English.png?w=280&fit=max&auto=format&n=jbtV9m9RubSTfp8S&q=85&s=caad3793ab279ee9ed234a4d7151a13b 280w, https://mintcdn.com/docs-staging-docs-event-stream-action-templates/jbtV9m9RubSTfp8S/docs/images/cdy7uua7fh8z/ql7yYX1GnJaiPQnjQQBTs/7ce5b2a51be21e4b3b6dc65b97b4b3eb/Email_Config_-_English.png?w=560&fit=max&auto=format&n=jbtV9m9RubSTfp8S&q=85&s=e81ecb5d375bcd73d46c767daa47fd26 560w, https://mintcdn.com/docs-staging-docs-event-stream-action-templates/jbtV9m9RubSTfp8S/docs/images/cdy7uua7fh8z/ql7yYX1GnJaiPQnjQQBTs/7ce5b2a51be21e4b3b6dc65b97b4b3eb/Email_Config_-_English.png?w=840&fit=max&auto=format&n=jbtV9m9RubSTfp8S&q=85&s=d49b8c0a52a2f07071f276a6b88d87d0 840w, https://mintcdn.com/docs-staging-docs-event-stream-action-templates/jbtV9m9RubSTfp8S/docs/images/cdy7uua7fh8z/ql7yYX1GnJaiPQnjQQBTs/7ce5b2a51be21e4b3b6dc65b97b4b3eb/Email_Config_-_English.png?w=1100&fit=max&auto=format&n=jbtV9m9RubSTfp8S&q=85&s=626a50fc6afba7e1230ea709fb736a75 1100w, https://mintcdn.com/docs-staging-docs-event-stream-action-templates/jbtV9m9RubSTfp8S/docs/images/cdy7uua7fh8z/ql7yYX1GnJaiPQnjQQBTs/7ce5b2a51be21e4b3b6dc65b97b4b3eb/Email_Config_-_English.png?w=1650&fit=max&auto=format&n=jbtV9m9RubSTfp8S&q=85&s=2a6a037a5698b439bf422c065d3dcc73 1650w, https://mintcdn.com/docs-staging-docs-event-stream-action-templates/jbtV9m9RubSTfp8S/docs/images/cdy7uua7fh8z/ql7yYX1GnJaiPQnjQQBTs/7ce5b2a51be21e4b3b6dc65b97b4b3eb/Email_Config_-_English.png?w=2500&fit=max&auto=format&n=jbtV9m9RubSTfp8S&q=85&s=4dce11742fbc6aed0057b33673540eb6 2500w" />
      </Frame>
    </Callout>
  </Tab>

  <Tab title="Management API">
    1. Get a [Management API access token](/docs/secure/tokens/access-tokens/management-api-access-tokens/get-management-api-access-tokens-for-production) with the `update:mfa_policies` scope.

    2. Call the Management API [Set the multi-factor authentication policies](https://auth0.com/docs/api/management/v2/guardian/put-policies) endpoint with the appropriate payload.

    3. If you want to change the **Device Trust Duration** from the default 30 days, call the [Update New Device Accessor](https://auth0.com/docs/api/management/v2/risk-assessments/patch-new-device). You need to add the following scopes to your Management API access token:
       * `read:attack_protection`
       * `update:attack_protection`
           <Warning>
             Auth0 customers are responsible for any diminishment in security posture resulting from changing the device remembrance time period to a period longer than Okta's standard recommended setup.
           </Warning>
  </Tab>
</Tabs>

## Enable Adaptive MFA Risk Assessment

If you aren't ready to enable Adaptive MFA, but want to start training it to analyze login behavior, you can enable Adaptive MFA Risk Assessment independently.

1. Go to [Dashboard > Security > Multi-factor Auth](https://manage.auth0.com/#/security/mfa).
2. Locate the **Define policies** section.
3. In **MFA Risk Assessors**, select **Enable Adaptive MFA Risk Assessment**.
4. Select **Save**.

## Customize Adaptive MFA

You can customize the behavior of Adaptive MFA to provide the best experience for your users while ensuring security. To learn more, read [Customize Adaptive MFA](/docs/secure/multi-factor-authentication/adaptive-mfa/customize-adaptive-mfa).

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  Actions that trigger MFA take precedence over default Adaptive MFA behavior.
</Callout>

## Limitations

Assessment information in tenant logs is only available for interactive flows. Auth0 does not support recording assessment information for <Tooltip tip="Resource Owner: Entity (such as a user or application) capable of granting access to a protected resource." cta="View Glossary" href="/docs/glossary?term=Resource+Owner">Resource Owner</Tooltip> Password Grant (ROPG) flows without adaptive MFA enabled. For more information about authentication flow limitations, read [Adaptive MFA](/docs/secure/multi-factor-authentication/adaptive-mfa).

## Learn more

* [Customize Adaptive MFA](/docs/secure/multi-factor-authentication/adaptive-mfa/customize-adaptive-mfa)
* [Adaptive MFA Log Events](/docs/secure/multi-factor-authentication/adaptive-mfa/adaptive-mfa-log-events)
* [Multi-Factor Authentication Factors](/docs/secure/multi-factor-authentication/multi-factor-authentication-factors)