Overview
This article explains why deleting a Multi-Factor Authentication (MFA) factor does not automatically remove a trusted device cookie or invalidate current user sessions. Calling the DELETE /v2/guardian/enrollments/{id} endpoint only removes the specific MFA factor and does not affect any sessions or cookies that may have been established.
Applies To
- Management API
- Multifactor Authentication
Cause
A session or a trusted device cookie, once created, becomes independent of the MFA factor used for the initial authentication. The session and cookie establish a trusted relationship with the user’s device or browser and do not need to reference the original authenticator again until they are invalidated.
The endpoint for deleting an MFA factor is designed to only affect the list of available factors for a user. It does not affect any current activities or sessions.
Solution
To remove an MFA factor, end any associated session, and invalidate all trusted device cookies, three separate Management API endpoints must be called.
- To delete the MFA factor, call the
DELETE /v2/guardian/enrollments/{id}endpoint. - To invalidate any sessions authenticated by that factor, call the
DELETE /api/v2/users/{user_id}/sessionsendpoint. For more information, see Delete User Sessions. - To invalidate the trusted device cookie for the user, call the
POST /api/v2/users/{id}/multifactor/actions/invalidate-remember-browserendpoint. This action invalidates all remembered browsers for the specified user. For more information, see Invalidate Remember Browser.