I am trying to build an identity verification system for our app for when users get locked out of the application (e.g. they forgot password, and no longer have access to their email).
I’d like to be able to issue an MFA challenge from Auth0 as part of the identity verification process, in addition to some other factors such as security questions.
Is it possible to emit an MFA challenge via the Auth0 API without being already authenticated via email/password? I see that it’s possible via POSTing to the /mfa/challenge endpoint, however this requires an mfa_token – and AFAIK the only way to get that is via authenticating with email/password. The problem is that in this situation our user is not able to authenticate (they’re locked out).
So is there a way to hit the API such that I can emit the MFA challenge without an MFA token? Or is there a way to get an MFA token for a user without having to go through the authentication flow?
Thanks!
Hi @chris.dopuch,
Welcome to the Auth0 Community!
You have perfectly described the flow needed in order to emit an MFA challenge, so unfortunately in this scenario it is not possible to obtain an mfa_token without authenticating the user, since the ROPG with MFA flow requires that and
calling the /oauth/token endpoint with the user’s username and password.
I understand what you are trying to implement though, so as a workaround i would suggest digging more into providing a password change ticket. The Change Users’ Passwords mentions about Generating Password Reset tickets that:
The Management API provides the Create a Password Change Ticket endpoint, which generates a URL like the one in the password reset email. You can use the generated URL when the email delivery method is not appropriate. Keep in mind that in the default flow, the email delivery verifies the identity of the user. (An impostor wouldn’t have access to the email inbox.) If you use the ticket URL, your application is responsible for verifying the identity of the user in some other way.
Hope this helps!
Thanks,
Remus