Best practices Change MFA Ph#

So, we have implemented step-up MFA (Phone#). I would like to understand the best practices/ recommendations when somebody has to change the MFA Phone# securely and what are the offerings from Auth0?

Hi @narayanak,

It seems one of our Community Engineers has tackled this question before in another thread. You might find the solution you’re looking for by checking out the Community Post below:


One -ve scenario is, what if the account is compromised?
It appears the hacker can change the MFA Phone# without us verifying his/ her additional/ alternate factor.

Hi @narayanak,

Thanks for the reply.

That won’t be possible. Recall that the general idea to change MFA phone numbers is as following:

  1. The user accesses the “profile” page and chooses “Change phone number”.
  2. The page checks redirects the user to Auth0 to authenticate and use MFA API as audience. Make sure MFA is enforced to prevent account takeover.
  3. Once the re-auth is completed - Use the MFA token to register the new phone number as a factor and delete the old one (in this order - so that the account doesn’t stay without MFA at all even for a short time).
    You might want to consider enabling Attack Protection to prevent attacks and stop malicious attempts to login.

In order for the account to be compromised, the threat actor would need to possess the user’s MFA device and not just knowledge of the email/password. Combined with Attack Protection, this should increase the overall security posture of your system and prevent malicious attacks.

Let me know if you have any questions.


This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.