How to enforce a single MFA for a user

Authentication APIs allows a user to enroll more than MFA. How could we ensure that a user can not setup more than one MFA?

Hi @rajivk,

Thanks for reaching out to the Auth0 Community!

I understand that you would like to enforce MFA for a single user.

In this situation, I recommend using an Auth0 Post-Login Action to selectively enforce MFA for the user.

Please review our How To Enable MFA For A Subset of Users FAQ which goes into further detail on how to accomplish this.

If you have any additional questions or need help with implementation, please feel free to reach out.

Thank you.

This link explains how we can enforce a particular MFA. Our requirement is, we allow users to choose any mfa(sms, otp etc). but user should not be able to setup more than one MFA. There must be only one active MFA(whatever user choose) at time.

Hi @rajivk,

Thank you for your response and clarification.

Unfortunately, it is not possible to prevent users from enrolling in alternative MFA factors if you have more than one factor enabled.

Meaning that it is not possible to enforce a specific factor without providing alternative methods to authenticate with MFA.

I hope this answers your questions.

Please let me know if you need help with anything else.

Thank you.

@rueben.tiow thank you.

So my understanding is, a user can have any number of active MFA enrolled at a time, given they must be enabled from the auth0 dashboard. We can not restrict users to have one active MFA(of their choice) enrolled at a time.

BTW i tried to enrol a user with OTP and then for SMS using authentication API. It says that user is already enrolled.

Hi @rajivk,

Thank you for your response.

Yes, your understanding is correct! :+1:

To better understand the situation, could you please share the requests you made to enroll a user with OTP and SMS?

Thank you.