Can't remove 2FA from my auth0 management account

I got a new phone and need to set up the new authenticator app, but I’m unable to remove the current 2FA from it (THe TOTP one time code setting).

I click remove, it asks “Are you sure you want to remove the authenticator?”, I click yes, then it asks me to login to confirm my identity. I put in my username and password, but it always says “There was an error processing the login”. I even tried resetting my password to make sure I had the correct one, but the error is the same. Really not keen on carrying around my old phone forever just to retain Auth0 access.

1 Like

Hey there @bradmac! Is there any additional errors or logs on the management or device side of things that we can go off of? I would love to help you get this solved, I just need a little bit more information. Thanks in advance!

Because this is for my Auth0 management account (https://manage.auth0.com/#/profile), and not my account within our tenant, I don’t believe I have access to any relevant Auth0 logs. I did grab some messages from Chrome’s inspector if that helps:

Auth0 identity confirmation log.txt (2.4 KB)

I have the same issue:

Please have a look at support - ticket #45479. It was fixed 2 month ago but seems to have reappeared.

Still looks odd that you have older Lock version in the manage page
src=“https://cdn.auth0.com/js/lock-9.2.1.min.js

than on the login page:
src=“https://cdn.auth0.com/js/lock/10.24/lock.min.js

Thanks
Simon

2 Likes

Hi James.
What more information can we provide? I don’t se any logs in my account relevant to this error. (Probably because it’s failing on CORS before sending any requests).
Please see my post above.
Simon

@bradmac I see from your log that you are using a older version of the Auth0 lock, can we get you to update to version 11 when you get a moment? From there we will see if the issue still occurs and proceed to the next step.

@sbf I checked the ticket you referenced above and it too appeared to be using an older version of lock. When you get a chance can you upgrade as well?

Thank you both in advance!

@James.Morrison - I’m logging directly into manage.auth0.com - Isn’t the choice of lock version completely in your hands in this case?

1 Like

I’m experiencing same issue where I cannot remove MFA device using same steps and I’m seeing same CORS error as soon as I select ‘Remove’.

Failed to load https://auth0.auth0.com/user/ssodata: No ‘Access-Control-Allow-Origin’ header is present on the requested resource. Origin ‘https://manage.auth0.com’ is therefore not allowed access. The response had HTTP status code 404.

1 Like

Correction – CORS error occurs after prompted ‘Are you sure you want to remove the authenticator?’ and I select ‘Yes’.

1 Like

We’re having trouble with Auth0.com (our own sites were updated way ago!)
https://manage.auth0.com/#/profile
@jmangelo: please have a look at this and review ticket #45479

@James.Morrison Same issue here. Not able to remove the TOTP in order to set my new authenticator client. As stated by @bradmac this is happening on the dashboard for managing auth0 itself, not within our tenant.

Do you have any timelines on when this issue could be resolved?

Thank you in advance.:slightly_smiling_face:

@James.Morrison same problem also here. I guess I’m just piling on now :confused:

@James.Morrison, same problem for me with my management account.

Hey there everyone @bradmac, @sbf, @dgua, @daniel.b, @dtraviglia, @nbessa! When you get a chance can you attempt the flow in question in a new browser session? For example, can you open a new Chrome Incognito window and attempt to add the device there? If this works then this may be related to browser cookies and my recommendation would be for you to clear any cookies associated with the auth0.com domain in the window where the flow fails. Please let me know if this helps!

@James.Morrison same CORS issue for me when Incognito / with cleared cookies.

2 Likes

@James.Morrison same for me too. Tried Firefox incognito with cleared cookies and cache.

Hi @James.Morrison,

Thanks for the quitck reply. I attempted the same on multiple browsers and OS. Chrome, Firefox on Ubuntu, Android and Mac Os. (Incognito and clearing all data)

If you need some more data, please let me know. But I believe the screenshot of @sbf is enough to describe the CORS issue. (Trying to load data from auth0.auth0.com from the page manage.auth0.com is not allowed.)

Regards,

Daniel

3 Likes

no difference running Chrome incognito

@James.Morrison were you able to reproduce? Have you made any changes to the code? Otherwise I’ve tested with three browsers exhibiting the same erroneous behavior also in incognito mode.
I had to loose my device and now I’m forced to login using emergency codes until this issue has been fixed.

@nbessa, @dtraviglia, @daniel.b, @dgua, @bradmac, and @sbf

When you get a moment can each of you DM me with the following information so we can move forward on:

  • Let me know whether the you want to reset the MFA enrollment (i.e. change device) or remove it altogether.
  • Let me know the email address of the affected user and any other instruction that the user might have provided (i.e. “Just for my Google social login”).
  • Associated Tenant

From there I will work with our team to remove MFA and let you know as each case is resolved. Thank you in advance.

3 Likes