Troubleshooting Multi-Factor Authentication (MFA) issues involves resolving user access problems, addressing Short Message Service (SMS) delivery failures, and correcting rejected authenticator codes. End-users experience issues such as lost devices, expired transactions, or incorrect device clock settings that prevent successful authentication.

• Auth0
• Multi-Factor Authentication (MFA)
• Troubleshooting

MFA failures occur due to lost devices, expired authentication transactions, SMS rate limits, or incorrect device clock settings.

How are general MFA user access issues resolved in Auth0?

Resolve general MFA Auth0 user access issues by performing the appropriate actions based on the following specific scenarios:

• Lost device: In this situation, the user can complete authentication using the recovery code provided during initial sign-up. The user enters their email and password to log in, selects the Use the recovery code link, and then enters the recovery code. The user must contact the system administrator if the recovery code is unavailable.
• Forgotten password: The user can select the Don't remember your password? link located underneath the email and password fields, and then enter their email address to receive a password reset link.
• Expired transaction: Auth0 enforces a five-minute maximum between providing the first and second factors. The user must log in again and obtain a new code or receive a new notification if more than 5 minutes elapse.
• Reset MFA: Administrators must reset MFA to remove or delete MFA from a user in the tenant.

How are Short Message Service delivery issues resolved in Auth0?

Address SMS delivery failures and rate limits by verifying the device connectivity and waiting for the rate limit to expire.

• No SMS received: Verify that the provided phone number is correct and that the device has a cellular signal. Contact the service provider to confirm that messages are not blocked.
• Rate limits: Auth0 displays a rate limit exception error if the user attempts to send more than ten SMS messages to the device within one hour. The user must wait at least one hour after the first message request before requesting another. Auth0 grants an additional attempt after each subsequent hour.

How are rejected authenticator codes resolved?

Auth0 rejects the six-digit code in the Guardian or Google Authenticator application (often displaying an Incorrect Code message) if the wrong application is selected or the device clock settings are incorrect. One-time passwords are generated using Coordinated Universal Time (UTC). Verify the clock settings by following the steps below for the specific operating system.

• Android Devices: Navigate to Settings > Date & Time and ensure the box next to Automatic is selected.
• iOS Devices: Navigate to Settings > General > Date & Time and enable Set Automatically. Disable and re-enable the setting if it is already active.

How are Duo-related issues resolved?

Review the Duo documentation for questions or issues specifically regarding Duo integrations.