Multiple SMS Authentication Factors and Changing SMS

Multi-factor Authentication

Last Updated:

Overview

We're building a custom UI to allow logged in users to change their Auth0 MFA number, following this documentation: https://auth0.com/docs/secure/multi-factor-authentication/manage-mfa-auth0-apis/manage-authenticator-factors-mfa-api
We only have phone number as an MFA option (with either voice or text message).
Would we need to reset a user's existing MFA number before they're allowed to enroll another one?
What would be the endpoints that we'd need to call, in order, after obtaining the MFA token?

Applies To

  • MFA API

Solution

When using the MFA API, the procedure could be:
 

  1. User logs into their account, requesting the MFA API audience and scopes for enroll, read:authenticators and remove:authenticators.
  2. User completes MFA using their existing enrolled authenticator (e.g. old phone number, or via recovery code).
  3. With the MFA Access token available, and using the list authenticators endpoint, the existing SMS authenticator's ID can be found here.
  4. Existing Authenticator is deleted using this endpoint.
  5. Enrollment can now be carried out for a new SMS authenticator.

Recommended content

No recommended content found...
Need more help? Visit the Community
Visit the Auth0 Community