Problem statement
We are creating a new user using the Management API with the Create a User endpoint.
During our signup process, we verify the user’s phone number through a custom MFA, before creating their auth0 account.
Currently, when they first log in to Auth0, they’re asked by Auth0 to enter their MFA number again (although they’ve already verified a number during our signup process). We’d like to avoid that and provide their MFA number at the time of the account creation. If not, then we’d at least like their number prefilled, so they don’t have to type it again.
Is it possible to send their phone number as part of the account creation payload, so that number is associated with their chosen MFA (or filled in by default)? (E.g using the phone_number and phone_verified = true params for Auth0 Management API v2 )
If not, is it possible to use the ‘bulk user creation’ endpoint to provide their MFA number? (In the past, using the bulk user creation, I was able to associate an existing phone number as the MFA number)
Symptoms
- Wanting to manage factors for users without them having to enroll themselves
Solution
MFA factors can be imported:
There is a job limit of 2 concurrent jobs so it wouldn’t be as useful for performing on a user-by-user basis, and would instead be better suited for batches of users queued up for a true “bulk import”.
Care would also have to be taken to ensure the Management API’s rate limits were handled appropriately if this was an automated process:
You can check on a job’s status using the /GET Job by ID endpoint, to check if it had finished or not: Auth0 Management API v2
So to summarise, yes the bulk import endpoint could be used instead of the create user endpoint and set up their MFA in one go, but if this is an automated process triggered by end users then care would need to be taken surrounding the Management API rate limits and the concurrent import job limit.
Another alternative would be to use the Factor Management API endpoints to create MFA factors for a user rather than having them enroll themselves.
Please note that this will result in the factor being created with a confirmed state, so it should be confirmed through your own verification process ideally before adding it to an account: