How to set up MFA TOTP enrollment with MFA API

Problem Statement:

How to set up MFA TOTP enrollment with Management API?

Solution:

Please follow the below steps:

1.Get the refresh token

POST ​​https://{YOUR_DOMAIN}/oauth/token

{
   "grant_type": "http://auth0.com/oauth/grant-type/password-realm",
   "client_id": "YOUR_CLIENT_ID",
   "client_secret": "YOUR_CLIENT_SECRET",
   "audience": "YOUR_DOMAIN/mfa/",
   "username": "USER_EMAIL OR USERNAME",
   "password": "USER_PASSWORD",
   "scope": "offline_access",
   "realm": "Username-Password-Authentication"
}

Please be noted that the audience has /mfa/ at the end

2.use the refresh token to get a new access_token

curl --request POST \
  --url 'https://{YOUR_DOMAIN}/oauth/token' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data grant_type=refresh_token \
  --data 'client_id=YOUR_CLIENT_ID' \
  --data client_secret=YOUR_CLIENT_SECRET \
  --data refresh_token=YOUR_REFRESH_TOKEN

3.use that access_token to start an enrollment at /mfa/associate

curl --request POST \
  --url 'https://{YOUR_DOMAIN}/mfa/associate' \
  --header 'authorization: Bearer ACCESS_TOKEN' \
  --header 'content-type: application/json' \
  --data '{
"client_id": "YOUR_CLIENT_ID", 
"client_secret": "YOUR_CLIENT_SECRET", 
"authenticator_types":["otp"], 
"oob_channels":"sms", 
"phone_number": "+1555123456"
}'

The request will return secrete and barcode_uri. Add an account in Google Authenticator with user email and secrete to get the OTP code.

4.Confirm OTP enrollment with

curl --request POST
–url ‘https://{YOUR_DOMAIN}/oauth/token’
–header ‘content-type: application/x-www-form-urlencoded’
–data grant_type=http://auth0.com/oauth/grant-type/mfa-otp
–data ‘client_id=YOUR_CLIENT_ID’
–data mfa_token=MFA_TOKEN
–data client_secret=YOUR_CLIENT_SECRET
–data otp=USER_OTP_CODE

5.Verify TOTP is added to User settings on the Dashboard.

References:

https://auth0.com/docs/secure/multi-factor-authentication/authenticate-using-ropg-flow-with-mfa/manage-authenticator-factors-mfa-api#resource-owner-password-grant

https://auth0.com/docs/api/authentication?shell#verify-with-recovery-code

https://auth0.com/docs/secure/multi-factor-authentication/authenticate-using-ropg-flow-with-mfa/enroll-and-challenge-otp-authenticators

How to Enroll a User in Both Google Authenticator and SMS with MFA API

1 Like