Overview
When calling GET https://{tenant_domain}/mfa/authenticators to list a user’s authenticators, if a user has both OTP and Push authenticators enrolled, two “totp” authenticators will be seen. This article details how to distinguish between OTP and Fallback OTP for Push Authenticators.
Applies To
- Multifactor Authentication (MFA)
- OTP
Cause
The naming convention for both types of authenticators is the same:
[
{
"id":"push |dev_xyz123",
"authenticator_type":"oob",
"active":true,
"oob_channel":"auth®",
"name":"Device name here"
},
{
"id":"totp|dev_abc123",
"authenticator_type":"otp",
"active":true
},
{
"id":" recovery-code|dev_cba321",
"authenticator_type":"recovery-code",
"active":true
},
{
"id":"totp|dev_zyx321",
"authenticator_type":"otp",
"active":true
}
]
Solution
For a user with both OTP and Push authenticators enrolled, it is not currently possible to use the MFA API to determine which is the standalone OTP and the Push authenticator’s backup OTP.
The workaround is to use the Management API, wherein the fallback OTP will have a “link_id” attribute that can be used to identify the fallback OTP authenticator. Please see this document for more details.
If the Push authenticator is deleted, the fallback OTP factor will be automatically deleted, too.
Vote for this here if it is a desired functionality to have on the MFA API.