Problem statement
This says that
event.user.multifactor` property is: `Optional array of strings. List of multi-factor authentication (MFA) providers with which the user is enrolled. This array is updated when the user enrolls in MFA and when an administrator resets a user's MFA enrollments.
From our tests, this property contains:
- An empty array if the user doesn’t have enrolments (correct)
- Always ONE
[ 'guardian' ]value in the array, and always guardian, even if a user has more than one factor (like guardian + recovery + SMS).
When testing with a user that has 3 factors (a device, so guardian + SMS + recovery code), the multifactor array only has “guardian”.
And if a user has only SMS, I still receive only “guardian”.
Cause
The intent of the event.user.multifactor property is to check if the user is enrolled in MFA or not, if yes it will always have a value of guardian. In the dashboard → user profile page → Raw JSON tab, you can see the “guardian_authenticators” attribute which has the enrolled authenticators, but unfortunately, this attribute is not available in Rules or Actions.
Solution
As a workaround, you can use “/api/v2/users/{id}/enrollments” to see if the User has a confirmed MFA enrollment. You can also call the endpoint: Auth0 Management API v2 to retrieve all enrollments.
However, please be aware of the rate limits when calling Management API in Actions/Rules.