Is it possible for a new user to set up MFA using Guardian app from their mobile device?
To clarify, this is the flow we have in mind:
We create a new user from our backend via the management API
We create a PW reset ticket and send that url to the user via email
User opens email on their mobile device, and then choose their new password
They are prompted for Guardian MFA with a QR code, which they are unable to scan using guardian app on same device…
Note: This is a duplicate of: Guardian app setup for new user
But since that topic got closed without any suggested solutions, I really wanted to ask this question again…
Thank you for posting in Auth0 Community. I apologize for the delay in my response.
Yes, the best way to do this is by obtaining the URI from the Guardian authenticator’s QR Code and execute this request in the background. Our documentation below goes over the steps on how to handle the QR code enrollment for mobile authentication.
All that we want is a feature in “guardian app” which enable the app to scan QR code from “mobile gallery”.
A fresh intalled “Guardian app” needs to “add an account” in app only through scanning QR code and it stucks when user starts setup their account very first time on same mobile device.
@ranjanse yes exactly something like that. @lily.wisecarver just to be clear: the flow we are talking about is based on the universal login page. So the user opens the universal login page from their phone and (because they have not yet completed MFA setup) is then prompted to “Scan this code with Auth0 Guardian”, e.g.
→ but now the user is stuck because it’s actually impossible to scan this code from the Guardian app on the same device
So maybe, instead of telling the user to “Scan this code with Auth0 Guardian” it would be cool to detect that we’re running on a mobile device and show a button like “proceed with Guardian app” which then automatically opens the guardian app with the correct url already provided…?
Sorry but this is not currently possible. The only way for a person to enrol a Guardian 2FA on their device is to take a picture, which like you said is impossible from the same device.
I advise you to submit a feature request using the feedback form (Auth0: Secure access for everyone. But not just anyone.). By submitting the feedback form, a feature request will be created in our development backlog. These requests help us understand which new features our users would like to see in future releases of Auth0. However, depending on the request, there is no guarantee that the feature requested will be developed.
If you require that all your users need an MFA, using other methods such as One-time Password with Google-Authenticator (there is an option to submit your device using a code instead of a photo), SMS, or Email should work from mobile devices.
