Last Updated: Aug 13, 2024
Overview
This article details how to get all the MFA Enrollments and delete the duplicated or unconfirmed ones.
Applies To
- Multifactor Authentication (MFA)
- MFA Enrollments
- Delete duplicates
Cause
If the user triggers an Enrollment request but does not confirm it, there will be a record in the Authenticators list with the property active set to false:
{
"id": "sms|dev_testid",
"authenticator_type": "oob",
"active": false,
"oob_channel": "sms",
"name": "XXXXXXXXX5034"
}
Every enrollment Request is stored with its own ID every time a user clicks to Enroll. Once the total number of authenticators reaches fifty-one (51), the user cannot run more MFA enrollments.
Solution
Deleting inactive enrollments using the Management API solves this issue:
- Get the enrollments using the following Endpoint from the MFA API:
Below is a sample response from this endpoint:GET /mfa/authenticators{ "id":"sms|dev_gB342kcL2K22S4yB", "authenticator_type":"oob", "oob_channels":"SMS", "name":"+X XXXX1234", "active":true }, { "id":"sms|dev_gB342kcL2K22S4yB", "authenticator_type":"oob", "oob_channels":"SMS", "name":"+X XXXX1234", "active":false }, - Filter the active:false ones and select the enrollment IDs to erase.
- Delete the authenticators using the following Endpoint from the Management API:
DELETE /api/v2/users/{id}/authentication-methods/{authentication_method_id}
NOTE:
- Auth0 returns the unconfirmed authenticators only for the purpose of enrollment (confirming an authenticator). That is why the unconfirmed authenticators are available only via the Enrollment API, which is part of the authentication API.
- The unconfirmed authenticators are unavailable via management API (GET /api/v2/users/{id}/authentication-methods) because it was designed for a different purpose.