Having trouble blocking SMS MFA

Hello,
I’m attempting to block MFA SMS in specific scenarios, and experiencing an issue with both the built in Twilio integration and the native Auth0 dev SMS.

I’ve created a Send Phone Message action, and to test out my theory have used an extremely simple code like:

exports.onExecuteSendPhoneMessage = async (event, api) => {
   throw new Error("An error Message");
};

However when I attempt to login using an SMS MFA via New Universal Login, I still receive the message and don’t get any error either in the UI or logged.

I should note that I’m prompting in the first place using a separate Login action which uses api.authentication.challengeWith({type:‘phone’}) after detecting the enrolled mfa type(s).

Is there something I’m doing wrong, or something about this particular combination of actions thats causing this not to work? I’m modeling the error on Enforce Unique Phone Number per User for SMS MFA.

Hi @harrison.hamill,

Welcome to the Auth0 Community!

Could you confirm if you are using a custom phone provider?

If not, this is required to invoke the Send Phone Message Action.

Thanks,
Rueben

Hi,
I am not using custom phone provider - rather the native Twilio integration. Is there any way to invoke an action when using Twilio configuration?

Thanks!

Hi @harrison.hamill,

Unfortunately, it is not possible. You must use a custom phone provider to send a phone message action. See the screenshot below:

It might be worth considering adding an if-conditional statement in your post login action script to decide whether to call api.authentication.challengeWith({type:'phone'}). This way, you can block SMS MFA before it begins. You won’t be able to block it after it sends an SMS.

I hope this helps!

Thanks,
Rueben

Thanks I will look into if I can do it with a postlogin action.
Do you know if there is any action I can use to inspect an SMS MFA enrollment? For example, I want to allow SMS MFA but need to show an error if the phone number entered is in a country that cant receive SMS. I assume the enrollment message also wont trigger the Send SMS Action if we are using native Twilio integration?

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Hi @harrison.hamill,

Thanks for the reply.

Unfortunately, it’s not possible to inspect an SMS MFA enrollment after it has begun.

There is a workaround mentioned here on using the Classic Universal Login experience to allow a subset of the country codes.

Let us know if you have any additional questions.

Thanks,
Rueben