Hello,
I’m attempting to block MFA SMS in specific scenarios, and experiencing an issue with both the built in Twilio integration and the native Auth0 dev SMS.
I’ve created a Send Phone Message action, and to test out my theory have used an extremely simple code like:
However when I attempt to login using an SMS MFA via New Universal Login, I still receive the message and don’t get any error either in the UI or logged.
I should note that I’m prompting in the first place using a separate Login action which uses api.authentication.challengeWith({type:‘phone’}) after detecting the enrolled mfa type(s).
Is there something I’m doing wrong, or something about this particular combination of actions thats causing this not to work? I’m modeling the error on Enforce Unique Phone Number per User for SMS MFA.
It might be worth considering adding an if-conditional statement in your post login action script to decide whether to call api.authentication.challengeWith({type:'phone'}). This way, you can block SMS MFA before it begins. You won’t be able to block it after it sends an SMS.
Thanks I will look into if I can do it with a postlogin action.
Do you know if there is any action I can use to inspect an SMS MFA enrollment? For example, I want to allow SMS MFA but need to show an error if the phone number entered is in a country that cant receive SMS. I assume the enrollment message also wont trigger the Send SMS Action if we are using native Twilio integration?