How can user change phone number used for MFA

Is there a recommended flow for how a user of our application can change their phone number being used for MFA?

We have an SPA using React and the Class Flow for login plus an API that is authenticated using the access_token returned from Auth0.

I currently see 2 options:

  1. On the frontend, list and remove the MFA then force the user to sign in again, this will force them to enter a new phone number for MFA
  2. Create our own API’s that will add a new MFA authenticator, remove the old one then return the MFA token for the user to use to type in the code sent to them

Changing MFA seems like something most people that use MFA must implement so just wondering what the most common/secure flow is?

Hey there @ssp6 welcome to the community!

I think you’re on the right track with this - You want to make sure there is no gap between old and new factor so adding the new one and then deleting the old one in that order is important.

General Idea:

  1. The user accesses the “profile” page and chooses “Change phone number”.
  2. The page checks redirects the user to Auth0 to authenticate and use MFA API as audience. Make sure MFA is enforced to prevent account takeover.
  3. Once the re-auth is completed - Use the MFA token to register the new phone number as a factor and delete the old one (in this order - so that the account doesn’t stay without MFA at all even for a short time).

https://auth0.com/docs/secure/multi-factor-authentication/authenticate-using-ropg-flow-with-mfa/manage-authenticator-factors-mfa-api

Hope this helps!