Hi @narayanak,
Thanks for the reply.
That won’t be possible. Recall that the general idea to change MFA phone numbers is as following:
- The user accesses the “profile” page and chooses “Change phone number”.
- The page checks redirects the user to Auth0 to authenticate and use MFA API as audience. Make sure MFA is enforced to prevent account takeover.
- Once the re-auth is completed - Use the MFA token to register the new phone number as a factor and delete the old one (in this order - so that the account doesn’t stay without MFA at all even for a short time).
You might want to consider enabling Attack Protection to prevent attacks and stop malicious attempts to login.
In order for the account to be compromised, the threat actor would need to possess the user’s MFA device and not just knowledge of the email/password. Combined with Attack Protection, this should increase the overall security posture of your system and prevent malicious attacks.
Let me know if you have any questions.
Cheers,
Rueben