Issue With Tenant Users Enrolling In MFA for Multiple Tenants

Problem statement

We noticed that if a tenant user enrolls in MFA using OTP in one environment, then OTP is only enabled for that user when they log into any of the tenants within that environment. If the user tries to enable MFA with OTP in one of the other environments, they are then asked to overwrite their enrollment details, which they set up for the first environment. I’m experiencing this with Google Authenticator.

If I use Auth0 Guardian, I see three apps with the same name called “config” in the Auth0 Guardian when I scan the QR code.

Solution

There is little we can do for Google Authenticator not showing a different entry for each environment. Unfortunately, having the same name while using Auth0 Guardian is also unavoidable.

Here is one decoded sample QR code from my test private cloud environment.

otpauth://totp/config:saltuk%40okta.com?secret=JF…redacted&issuer=config&algorithm=SHA1&digits=6&period=30

As you may see, the QR code includes the tenant’s name and the user’s email only. The master tenant where the dashboard admins login is named “config” in every private cloud environment. Unfortunately, this tenant is built automatically during environment installation, and we don’t have the option to give a different name to this tenant.

You may use a different OTP generator for each environment as a workaround. Here are three apps that you could pick.

1- Auth0 Guardian
2- Okta Verify
3- Google Authenticator