Problem statement
We’re building a custom UI to allow logged-in users to change their Auth0 MFA number, following this documentation:
We only have a phone number as an MFA option (with either voice or text message). Do we need to reset a user’s existing MFA number before they’re allowed to enroll in another factor?
And what would be the endpoints we’d need to call in order after obtaining the MFA token?
Symptoms
Need to enroll multiple factors/authentication methods of the same type for a given user.
Solution
You can enroll another authenticator for a user without needing to remove an existing one.
For example, for an SMS factor, the steps are listed here:
- Manage Authentication Factors with Authentication API
- Enroll and Challenge SMS and Voice Authenticators
Please note that to enroll another authentication method/factor to an account that has an existing enrolled authenticator, they will need to first verify an MFA challenge with an existing authenticator to obtain an MFA API Access token (with the enroll scope) and then they can call the /associate endpoint to register a new phone number and verify it with the binding code and the previously obtained MFA access token.
If you attempt to enroll a new factor without an MFA Access token with the enroll scope, you will get the “User is already enrolled” error as the endpoint is also designed to cater to the newly signed-up users without an MFA setup.
Once this is complete, they can delete the old SMS authenticator using the same MFA Access token provided it has not expired.
Alternatively, you can have a secure backend that can manage the user’s factors for them, using the recently released Factor Management API endpoints, hosted within the Management API:
- Create a new authentication method for a user (factor): Auth0 Management API v2
- List current authentication methods: Auth0 Management API v2
- Delete an authentication method: Auth0 Management API v2