Is there a way to redirect the User to a universal login page where he is forced to enroll a new MFA factor?
We have an SPA using React and would like to allow the user to change his/her phone number used for MFA. The approach we wanted to take is the following because it doesn’t require us to build our own UI:
On the frontend, list and remove the MFA then force the user to sign in again, this will force them to enter a new phone number for MFA
However this leaves the user without MFA for a short period of time which is a security issue. This is why we would like to know if there is an way to force the user to enroll a new authenticator without deleting the old first using universal login.
Welcome to the Auth0 Community and thank you for the interest in this use case!
I believe the best approach in this situation is to utilize our following endpoint in order to update the user’s authentication method. This way, a new MFA can be set for the new phone number without leaving the user without an MFA method.
In addition, if you wish to prompt the user for MFA, a flow can be created based on the user’s app_metadata ( that the user cannot edit ) - you can enrich it with something like updated_number : true, configure your Action to trigger when this is detected and push the prompt. Once the MFA has been reset, the updated_number can be set to false.
What about intializing an authorize call with the mfa audience, and having a postLoginAction that looks at the app_metadata and conditionally requires them to enroll an additional factor? My app will receive the access token scoped to delete:autheniticators and I’ll clean up the old authenticator once back in the app.