Auth0 Lock Android with MFA

I am using Flutter and got the Android SDK working with it using both password only and password-less authentication using an email OTP. The problem is, when I enable MFA by setting “Require Multi-Factor Auth” to “Always” and enabling the SMS OTP.

For password-less,

  • Lock shows an error bar to the user
  • Android logs only show “E/PasswordlessLockActivity: Failed to authenticate the user: An error occurred when trying to authenticate with the server”
  • Auth0 Logs page shows “Wrong email or verification code”.

None of these are exactly correct; after turning on debugging, I can see the description for the Authentication error is “Multi-Factor Authentication is required”. I’m wondering why Lock doesn’t then display a page to capture the user’s phone number and an OTP entry page after that, like for Universal Login?

For password login, it gets an authentication failure when I debug like above, but unlike password-less Lock then shows the user a screen called “Two Step Verification”. The problem is it asks: “Please enter a verification code from your code generator application”. This is very confusing for the user because 1. MFA is configured for SMS OTP, 2. user did not even get asked to specify their code generator app. Any code entered here is doomed to fail.

My questions are

  • Does Lock support MFA for password? If so, why is the experience so strange?
  • Does Lock support MFA for password-less? If so, why is it not handling it?
  • Did I misconfigure anything?