Problem statement
We are seeing “invalid_request (No MFA factors enabled for enrollment)” error on login attempts even with MFA policy set to ‘Never’ and no extensibility affecting MFA in any way.
Cause
There is an issue at the moment where setting “identifier_first”: false, and “webauthn_platform_first_factor”: true, with the /api/v2/prompts endpoint will force MFA requirement even with MFA policy set to Never.
After making the change above, if you go to the Dashboard > Authentication > Authentication Profile, it will appear that Username + Password is still enabled.
Logins then fail back to the callback URL with “invalid_request (No MFA factors enabled for enrollment)”. We’re using Terraform.
Solution
Our engineering team is working on that but here are the actions to take for the moment:
- If you want Identifier First + Biometrics enabled, you must set both “identifier_first”: true, and “webauthn_platform_first_factor”: true.
- If you do not want Identifier First + Biometrics enabled, you must set “webauthn_platform_first_factor”: false.