This article will explain the steps necessary for an Auth0 Admin to view the full Multi-Factor Authentication (MFA) SMS phone number a user enrolls with, as it is obfuscated by default.

By default, the last 4 digits of a phone number are shown when using the Management API call outlined in Get a list of authentication methods:

 {{base_url}}/api/v2/users/{{user_id}}/authentication-methods

Sample Response:

"phone_number": "XXXXXXXX1234"

• Multi-Factor Authentication (MFA) SMS
• Management API

By updating the following tenant flag via the Management API call Update tenant settings, the full phone number should be retrievable:

PATCH /api/v2/tenants/settings

The flag to update:

{ "flags": { "disable_management_api_sms_obfuscation": true } }

After doing this, this endpoint should return the full phone number if the user enrolled in SMS MFA:

{{base_url}}/api/v2/users/{{user_id}}/authentication-methods