Is there a way to redirect the User to a universal login page where he is forced to enroll a new MFA factor?
We have an SPA using React and would like to allow the user to change his/her phone number used for MFA. The approach we wanted to take is the following because it doesn’t require us to build our own UI:
- On the frontend, list and remove the MFA then force the user to sign in again, this will force them to enter a new phone number for MFA
However this leaves the user without MFA for a short period of time which is a security issue. This is why we would like to know if there is an way to force the user to enroll a new authenticator without deleting the old first using universal login.
1 Like
I’m interested in the answer to this. Can we get an Auth0 helper to respond please?
Hi there,
Welcome to the Auth0 Community and thank you for the interest in this use case!
I believe the best approach in this situation is to utilize our following endpoint in order to update the user’s authentication method. This way, a new MFA can be set for the new phone number without leaving the user without an MFA method.
In addition, if you wish to prompt the user for MFA, a flow can be created based on the user’s app_metadata ( that the user cannot edit ) - you can enrich it with something like updated_number : true, configure your Action to trigger when this is detected and push the prompt. Once the MFA has been reset, the updated_number can be set to false.
Hope this helped!
Gerald
What about intializing an authorize call with the mfa audience, and having a postLoginAction that looks at the app_metadata and conditionally requires them to enroll an additional factor? My app will receive the access token scoped to delete:autheniticators and I’ll clean up the old authenticator once back in the app.