Accessing User MFA Enrollment Status

chronowalk · June 11, 2019, 6:28pm

We have a need to see the MFA enrollment status for all of our users via the Management API. I see there is a multifactor field returned by the list and get user endpoints, but it does not seem to reflect the current enrollment status (i.e. seems like it always returns ["any", "guardian"] for a user after enrolling in MFA; even after resetting MFA).

I saw this old thread, which seems to suggest that the issue is due to indexing delays involved with the list endpoint, however I seem to be getting the same results whether I use the list or get user endpoint (e.g. /api/v2/users/{id}).

Is this multifactor field supposed to reflect actual enrollment status or does it just reflect available providers? In inspecting the API calls made by Auth0’s dashboard for the user profile page, I see there is a guardian_authenticators field, that seems to reflect the actual current enrollments accurately. Can this be made available on the public list users endpoint?

If not, is there any other way to view the MFA enrollment status for a list of users?

nlenepveu · December 12, 2019, 11:21am

Hello,

I’m facing the exact same issues (I’d like to know if the the exact enrollment status) to trigger or not the double factor. Are there any reliable solution for this purpose ?

Best,
Nicolas

nlenepveu · December 12, 2019, 11:41am

I just found that we can ask the API to returns the list of enrollments of the current user with their status.

Here the rule that does the job:

function (user, context, callback) {
  var ManagementClient = require('auth0@2.19.0').ManagementClient;
  var management = new ManagementClient({
    token: auth0.accessToken,
    domain: auth0.domain
  });

  management.getGuardianEnrollments({ id: user.user_id }, function (err, enrollments) {
    if (!err && !enrollments.some(function(e) { return e.status === 'confirmed'; })) {
      context.multifactor = {
        provider: 'any',
        allowRememberBrowser: false
      };
    }

    callback(err, user, context);
  });
}

chronowalk · January 31, 2020, 6:09pm

Thanks, nlenepveu, we ended up doing basically the same thing for our actual authentication flow, too.

However, we would still very much like to be able to retrieve an MFA enrollment status for multiple users as part of the list users endpoint. Any acknowledgment from Auth0 would be very appreciated .

lambdalisue · November 5, 2020, 4:33am

You may need to use undocumented API I guess.