Auth0 Home Blog Docs

{"error"=>"access_denied", "error_description"=>"User is already enrolled."}

We allow our user to either choose between SMS or google authenticator app.
and the first time they pick one the process runs through just fine.

When a user wants to change, out api get this error:
{"error"=>"access_denied", "error_description"=>"User is already enrolled."}

Any help would be much appreciated :slight_smile:



Could you give us more technical information about how you perform this MFA factor change?


1 Like

Hi @lucas.sonich

Thanks for replying :slight_smile:

Well, to associate an OTP device I use:

  1. I get the mfa_token using the /token
  2. I call the /mfa/associate end point using the new mfa_token from step 1
headers = { 'Content-Type' => 'application/json', 'Authorization' => "Bearer #{mfa_token}" }
body =
    authenticator_types: ['otp'],
    scope: 'enroll read:authenticators remove:authenticators',
    audience: "#{RunEnv.var!('AUTH0_BASE_URL')}/mfa/"

request =
  body: body.to_json,
  headers: headers

Worth to say, that the first time I associate a device it works fine


Unfortunately, you can’t overwrite the factor. First, you should remove the google authenticator app and then add the SMS factor (or backwards). I hope that information is useful.


1 Like

Great, thanks for the response, now that you mention the deletion I must link to my previous question

I could add more code, if needed.

@lucas.sonich I’ve deleted the previous factor successfully (response 204 and it’s not shown anymore in the dashboard).

When adding the new factor (same code as shown above), I still receive the same response: {"error"=>"access_denied", "error_description"=>"User is already enrolled."}

Any idea how to proceed?

Thanks in advance

1 Like

Hello again!

Could you please give us more details about the call and the specific request that your are making.


1 Like