Automatic MFA Re-Enrollment if User Logs in with Recovery Code

Problem statement

Is it possible to create an action that will trigger re-enrollment of TOPT-based MFA if users log in with a recovery code as their second factor?

Assuming users will log in with a recovery code only if they do not have access to their phones anymore, is there a way to automatically trigger the enrollment of a new phone without the need to contact a tenant admin to reset their MFA?

Solution

Unfortunately, this type of flow isn’t possible as it is not recommended to remove an MFA factor without the user specifically stating they want to remove the MFA.

The best way to grant users the ability to remove and add MFA factors is by creating a custom interface for the application that utilizes the MFA API to add and remove MFA enrollments. More information about the MFA API can be found here: Auth0 MFA API

Related References: