Last Updated: Dec 4, 2024
Overview
This article explains whether it is necessary to reset a user’s existing Multi-factor Authentication (MFA) number before they enroll a new number, and the required endpoints to call after obtaining the MFA token.
Applies To
- Multi-Factor Authentication (MFA)
- Enroll Multiple Factors/Authentication Methods
Solution
Another authenticator can be enrolled for a user without removing an existing one.
For example, for an SMS factor, the steps are listed here:
- Enroll and Challenge SMS and Voice Authenticators
- Manage Authentication Factors with Authentication API
NOTE: To enroll another authentication method or factor in an account that has an existing enrolled authenticator, they will need to first verify an MFA challenge with an existing authenticator to obtain an MFA API Access token (with the enroll scope). Then, they can call the /associate endpoint to register a new phone number and verify it with the binding code and the previously obtained MFA access token.
When attempting to enroll a new factor without an MFA Access token with the enroll scope, a User is already enrolled error message appears, as the endpoint is also designed to cater to newly signed-up users without an MFA setup.
Once this is complete, they can delete the old SMS authenticator using the same MFA Access token, provided it has not expired. Alternatively, a secure backend can manage the user’s factors for them, using the recently released Factor Management API endpoints hosted within the Management API: