Problem statement
By default, the MFA SMS phone number that a user enrolls with will be obfuscated. In instances where an Auth0 Admin needs to see the full phone number, what steps are necessary to achieve this?
Symptoms
By default, the last 4 digits of a phone number are shown when using the following Management API endpoint:
{{base_url}}/api/v2/users/{{user_id}}/authentication-methods
Sample Response:
[
{
"id": "phone|dev_1234abc",
"type": "phone",
"confirmed": true,
"phone_number": "XXXXXXXX1234",
"created_at": "2024-02-21T16:46:01.333Z",
"last_auth_at": "2024-02-21T16:46:15.601Z",
"preferred_authentication_method": "sms",
"authentication_methods": [
{
"id": "sms|dev_1234abc",
"type": "sms"
}
]
}
]
Steps to Reproduce
The following endpoint should show the MFA enrollments for a given user. If there is any SMS enrollment, it should be present here:
{{base_url}}/api/v2/users/{{user_id}}/authentication-methods
Solution
By updating the following tenant flag via the Management API, the full phone number should then be retrievable :
PATCH /api/v2/tenants/settings
The flag to update:
{ "flags": { "disable_management_api_sms_obfuscation": true } }
After doing this, this endpoint should return the full phone number if the user enrolled in SMS MFA:
{{base_url}}/api/v2/users/{{user_id}}/authentication-methods