Hey there @ssp6 welcome to the community!
I think you’re on the right track with this - You want to make sure there is no gap between old and new factor so adding the new one and then deleting the old one in that order is important.
General Idea:
- The user accesses the “profile” page and chooses “Change phone number”.
- The page checks redirects the user to Auth0 to authenticate and use MFA API as audience. Make sure MFA is enforced to prevent account takeover.
- Once the re-auth is completed - Use the MFA token to register the new phone number as a factor and delete the old one (in this order - so that the account doesn’t stay without MFA at all even for a short time).
Hope this helps!