Additional properties not allowed: multifactor_last_modified multifactor

I follow the document here for MFA, I finished the final step that I could get access token successfully. But I call again for new round to get new MFA token (on the first step) as Get mfa token. This issue happened:

    "error": "access_denied",
    "error_description": "Payload validation error: 'Additional properties not allowed: multifactor_last_modified,multifactor (consider storing them in app_metadata or user_metadata. See \"Users Metadata\" in for more details)'."

My command for get mfa token at new round:

curl --location --request POST '' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username=****' \
--data-urlencode 'password=**** \
--data-urlencode 'client_id=m2tMUuWeq3RoLk8CQGJmC4jnziuFoY2b' \
--data-urlencode 'client_secret=zAEfsuARLxDm16UgnL5_jhqeCgBH9m1Qe6FS3_q6nezrOur22VTsOhDnlRzbRfWP' \
--data-urlencode 'audience=playground-2fa-api' \
--data-urlencode 'scope=offline_access openid profile email '

Note: I checked the account and saw that the value “guardian” in multifactors has been removed.

Does anyone has experience on the issue? The account is broken now even log in without MFA ( I have to remove the account, but still meet this issue when try with MFA)

Hey there,
Two things that come to my mind as the potential source of your problem:

  • your current plan for the Auth0 tenant. Has to be “Enterprise” or “Dev Pro”. When I implemented MFA for my test free tenant, I was able to test it once, after which I received errors.
  • if your current plan is Enterprise or Dev Pro, and you have enabled MFA for the specific application you test it for, please check if the affected account has an email verified. It’s a requirement.

Please keep us posted if that solved / brought the required insight into your topic! Have a good day!

1 Like

Thank Marcelina,
I’ve just found the root cause. There is a Rule for updating user, this rule I need to delete attributes that do not allow to update.
I have to add some lines to ignore multi-factor for the updates.

The problem is now solved.


This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.