How to See the Complete Phone Numbers for MFA SMS Enrollment

Problem statement

By default, the MFA SMS phone number that a user enrolls with will be obfuscated. In instances where an Auth0 Admin needs to see the full phone number, what steps are necessary to achieve this?

Symptoms

By default, the last 4 digits of a phone number are shown when using the following Management API endpoint:

{{base_url}}/api/v2/users/{{user_id}}/authentication-methods

Sample Response:

  [
    {
        "id": "phone|dev_1234abc",
        "type": "phone",
        "confirmed": true,
        "phone_number": "XXXXXXXX1234",
        "created_at": "2024-02-21T16:46:01.333Z",
        "last_auth_at": "2024-02-21T16:46:15.601Z",
        "preferred_authentication_method": "sms",
        "authentication_methods": [
          {
            "id": "sms|dev_1234abc",
            "type": "sms"
          }
       ]
    }
  ]

Steps to Reproduce

The following endpoint should show the MFA enrollments for a given user. If there is any SMS enrollment, it should be present here:

 {{base_url}}/api/v2/users/{{user_id}}/authentication-methods

Solution

By updating the following tenant flag via the Management API, the full phone number should then be retrievable :

PATCH /api/v2/tenants/settings

The flag to update:

{ "flags": { "disable_management_api_sms_obfuscation": true } }

After doing this, this endpoint should return the full phone number if the user enrolled in SMS MFA:

{{base_url}}/api/v2/users/{{user_id}}/authentication-methods