Associate MFA factor from own UI: error on factor activation

nicolas_sabena · July 7, 2020, 3:27am

Hey @thijmen96
It’s admittedly confusing, but the “MFA token” can be obtained in two ways:

what’s returned as the mfa token along with the mfa_required error in the resource owner password grant flow
the access token you obtain with regular /authorize request, with an audience=https://YOUR_AUTH0_DOMAIN/mfa/ and scopes enroll read:authenticators delete:authenticators

So, essentially, the same token used for enrollment is used to confirm the authenticator.

If you are using custom domains there’s a small gotcha: you can use your custom domain for the /oauth/token for all requests, but the MFA API audience will still need to be https://YOUR_AUTH0.COM_DOMAIN/mfa/.

I just tested the flow and worked on my machine () If it still doesn’t work for you, show me the actual domain for your request, and the payload of the access token you are trying to use.

Topic		Replies	Views
Error while confirming MFA SMS enrollment Help mfa , phone-factor	0	685	September 22, 2023
How to get MFA API Access Tokens? Help mfa , mfa-api	3	4577	February 28, 2023
OTP Setup via API needs mfa_token Help mfa	3	3521	July 27, 2019
{"error"=>"access_denied", "error_description"=>"User is already enrolled."} Help	6	4691	January 31, 2020
How to Enroll a User in Both Google Authenticator and SMS with MFA API Knowledge Articles mfa , sms , google-authenticator , multi-factor , mfa-api , enroll	1	3897	June 30, 2022

Associate MFA factor from own UI: error on factor activation

Related topics