Hi! We have an existing application with existing user base. The users are synced to Auth0 username-password DB connection via Management API, and they are logging in with username and password.
Now i introduced multi-factor login with SMS, using Guardian. All works fine, but users have to enter their phone number when they do multi-factor authentication for the first time.
Is there a way to pre-set phone numbers for users for Guardian multi-factor authentication? These are all already verified phone numbers, and we don’t want a user to enter any other phone number than we already have.
I’m replying myself. Finally i disabled Guardian and used passwordless SMS login in addition to login with password. Each user is created two accounts: username-password and SMS. For SMS account i can set phone number via Management API. The SMS account is linked to the username-password account also via Management API. A rule and a webtask is used to ask secondary SMS authentication when needed, similar to this: rules/redirect-rules/sms-mfa at master · auth0/rules · GitHub. Now i cannot remember browser, but this is ok in my use case.
Is that approach still working for you? I was getting errors in the rule trying to redirect to the webtask, where auth0 said the redirect was not allowed.
Also - if you linked the sms account to the main one, didn’t that remove the sms account as it was merged into the main account?
Yes this approach seems to work. We are live with it for a small group of users.
Unfortunately i can’t remember having a similar problem of redirect from rule to webtask not allowed.
I’m not sure if merging the SMS account with the main one actually removed the SMS account. Possibly Auth0 management console just displays it under the main account. Anyway, user can log in using either.
Yes this approach seems to work. We are live with it for a small group of users.
Unfortunately i can’t remember having a similar problem of redirect from rule to webtask not allowed.
I’m not sure if merging the SMS account with the main one actually removed the SMS account. Possibly Auth0 management console just displays it under the main account. Anyway, user can log in using either.