Multi-factor authentication (MFA) is no longer optional. With credential-based attacks on the rise, adding a second layer of verification protects your users and your business. SMS-based MFA — where a one-time passcode (OTP) is sent to the user's phone — remains one of the most widely adopted and user-friendly methods available.
This guide walks you through setting up SMS MFA in Auth0 using the DataFlows integration. You will have OTP verification working in your application within minutes — no complex infrastructure required.
What Is SMS MFA?
SMS MFA (SMS multi-factor authentication) adds a second verification step to your login flow. After a user enters their password, they receive a unique one-time passcode via SMS. They must enter this code to complete the login. Even if a password is stolen, an attacker cannot access the account without also having access to the user's mobile phone.
SMS OTP verification is used across banking, healthcare, SaaS platforms, and government portals because it requires no app installation and works on any mobile number worldwide.
Why Use DataFlows for Auth0 SMS MFA?
Auth0 supports custom SMS providers through its Actions and custom SMS gateway feature. DataFlows is an ACMA-registered SMS provider built for Australian businesses — meaning your OTP messages are delivered with a registered Sender ID, high deliverability, and local compliance built in.
Key advantages of using DataFlows for Auth0 SMS MFA:
ACMA-registered: Your SMS messages come from a verified Australian Sender ID, not a random number. This builds trust with users who might otherwise ignore the code.
High deliverability: OTP codes need to arrive within seconds. DataFlows routes via tier-1 Australian carriers to ensure fast, reliable delivery.
Simple REST API: Easy to integrate with Auth0's custom SMS provider flow — a few lines of code in an Auth0 Action.
Australian-based support: Local team, AEST business hours. You are not dealing with overseas call centres when something breaks.
No lock-in contracts: Pay-as-you-go SMS credits. Plans start from $35/month with no minimum commitment.
Prerequisites
Before you start, you will need:
An Auth0 account with an existing application configured
A DataFlows account with SMS API access enabled
Your DataFlows API token (found under Developer in your DataFlows dashboard)
A registered Sender ID or virtual number in your DataFlows account
Step-by-Step: Set Up SMS MFA with Auth0 and DataFlows
Step 1 — Create a DataFlows Account and Get Your API Token
Go to dataflows.com.au and create an account. Once logged in, navigate to the Developer section in your dashboard and generate your API Token. Copy this token — you will need it when configuring the Auth0 Action in Step 3.
Also set up your Sender ID under the Sender IDs section. If you are sending OTP messages for a business application, using a branded Sender ID (your company name) significantly improves trust and open rates compared to a random number.
Step 2 — Enable MFA in Auth0
In your Auth0 dashboard, navigate to Security then Multi-factor Auth. Enable the SMS factor. You will see options for the built-in Twilio integration and a Custom SMS Gateway option. Select Custom SMS Gateway to use DataFlows as your SMS provider.
Auth0 will prompt you to configure an Action that sends the OTP via your chosen provider. This is where DataFlows comes in.
Step 3 — Configure DataFlows as Your Custom SMS Gateway
Auth0 allows you to send SMS through any provider by using an Auth0 Action. Navigate to Actions then Flows then Send Phone Message. Create a new Action with the following Node.js code:
const axios = require('axios'); exports.onExecuteSendPhoneMessage = async (event, api) => { const to = event.message_options.recipient; const message = event.message_options.text; await axios.post( 'https://api.dataflows.com.au/sms/send', { to: to, message: message, from: 'YourSenderID' }, { headers: { 'Authorization': 'Bearer YOUR_DATAFLOWS_API_TOKEN', 'Content-Type': 'application/json' } } ); };
Replace YOUR_DATAFLOWS_API_TOKEN with the token from your DataFlows Developer dashboard. Replace YourSenderID with your registered Sender ID or virtual number. Click Deploy to activate the Action.
Security tip: store your DataFlows API token as an Auth0 Action Secret (under Secrets in the Action editor) rather than hardcoding it in the code. Reference it as event.secrets.DATAFLOWS_API_TOKEN.
Step 4 — Test the MFA Flow
Use Auth0's Try button in the Actions editor to trigger a test event. Enter a real mobile number you have access to and confirm the OTP arrives via SMS within a few seconds. Open your DataFlows dashboard to verify the message was sent and shows a Delivered status.
If the SMS does not arrive, check the Auth0 Action logs (Real-time Webtask Logs) for errors and review your DataFlows API token and Sender ID configuration.
Step 5 — Enable MFA for Your Application
In Auth0, go to Applications, select your app, then go to Advanced Settings and ensure the MFA grant type is supported. Under Security then Multi-factor Auth, you can set MFA enforcement to:
Always: MFA is required on every login. Best for high-security applications.
Adaptive: MFA is triggered when risk signals are detected (new device, unusual location). Balances security and user experience.
Never: MFA is disabled. Not recommended for production applications.
Best Practices for SMS MFA
Keep OTP codes short and time-limited: 6-digit codes expiring in 5 minutes are the industry standard. Auth0 manages this automatically.
Use a branded Sender ID: Messages from your business name build trust and reduce confusion. Register your Sender ID in DataFlows before going live.
Store API tokens as secrets: Use Auth0 Action Secrets to store your DataFlows API token — never hardcode credentials in your Action code.
Monitor delivery reports: Check your DataFlows delivery dashboard regularly to catch failed OTP deliveries before users report login issues.
Limit OTP resend attempts: Configure rate limiting in your Auth0 tenant to prevent abuse and protect your SMS credits from being drained by bots.
Comply with Australian spam law: OTP messages are transactional, not marketing — they are exempt from opt-in requirements under the Spam Act 2003. You do not need explicit consent to send OTP codes.
How DataFlows Helps Beyond MFA
Once DataFlows is connected to your Auth0 application, you can use the same DataFlows account for bulk SMS campaigns, appointment reminders, customer notifications, and two-way SMS conversations — all from one platform.
DataFlows also integrates with Zapier, Power Automate, Microsoft Teams, Shopify, WordPress, Supabase, GoHighLevel, and Cliniko — so your SMS infrastructure can grow alongside your business automation stack.
Conclusion
Adding SMS MFA to Auth0 with DataFlows takes less than 30 minutes. You get a secure, compliant, Australian-hosted OTP flow with high deliverability and full visibility into every message sent. The combination of Auth0's identity management and DataFlows' SMS infrastructure gives your application enterprise-grade authentication without the enterprise-grade cost.
Get started at dataflows.com.au — create your account, generate your API token under Developer, and have SMS OTP live in Auth0 today.
You May Also Like
SMS OTP Verification: How It Works and How to Implement It
How to Configure Auth0 OTP SMS with DataFlows
SMS API Integration Guide for Australian Developers
SMS Verification Using the DataFlows API
Auth0 SMS Integration with DataFlows: Full Setup Guide