Event.user.multifactor property not showing each factor

Problem statement

This says that

event.user.multifactor` property is: `Optional array of strings. List of multi-factor authentication (MFA) providers with which the user is enrolled. This array is updated when the user enrolls in MFA and when an administrator resets a user's MFA enrollments.

From our tests, this property contains:

  • An empty array if the user doesn’t have enrolments (correct)
  • Always ONE [ 'guardian' ] value in the array, and always guardian, even if a user has more than one factor (like guardian + recovery + SMS).

When testing with a user that has 3 factors (a device, so guardian + SMS + recovery code), the multifactor array only has “guardian”.

And if a user has only SMS, I still receive only “guardian”.

Cause

The intent of the event.user.multifactor property is to check if the user is enrolled in MFA or not, if yes it will always have a value of guardian. In the dashboard → user profile page → Raw JSON tab, you can see the “guardian_authenticators” attribute which has the enrolled authenticators, but unfortunately, this attribute is not available in Rules or Actions.

Solution

As a workaround, you can use “/api/v2/users/{id}/enrollments” to see if the User has a confirmed MFA enrollment. You can also call the endpoint: Auth0 Management API v2 to retrieve all enrollments.

However, please be aware of the rate limits when calling Management API in Actions/Rules.