Deleting Users Does NOT Delete Their Authenticators

Problem Statement

Using the API (/api/v2/guardian/enrollments/), we can retrieve the guardian_authenticators information for users deleted from the Dashboard.

Does the MFA information remain forever unless deleted by the API? Is it not automatically deleted after a certain period of time?


The MFA information of the user will be stored in the database until was deleted from the user. As of the current design, if you want the MFA details to be removed along with the user, please call the DELETE /api/v2/users/{id}/authenticators endpoint .

If you have feedback about our product, please feel free to communicate them with our Product team via the feedback page.

Additionally, our Engineering team is aware of the senario: if a user is recreated with the same user_id, the MFA will still apply to this newly created user. This is reproducible using a Custom Database. We have an open backlog item to correct this behavior. There is no current date on when it will be delivered yet, but you may create a new support ticket or raise a community topic with us any time to ask us for updates.