Logs for failed MFA where authenticator is not active

Hey, just a question about how MFA is handled, and how logging is working, when a user has multiple enrolments.

Scenario is that a user has multiple OTP authenticators associated, however only one was verified so only one is active. Active as defined by the response from the /mfa/authenticators endpoint from the authentication API. Specifically for my test case I have four authenticators, one is a recovery code, the other three are OTP, only one is marked as active.

When the user is asked to enter their OTP code using the authenticator that is active the login works as expected, no error in the Universal Login form, great.

However, in the Logs associated with the tenant where the user exists I see two failed MFA attempts. Looking at the detail these failures are the two authenticators that are not active.

Question, is it that when a user enters a code the Auth0 process is to check against all authenticators, even those that are not active / verified? Does it make sense that there are error logs when one of the authenticators was valid?


Just to update this issue after some DMs.

The fact that ‘active’: false methods are checked and generate error logs is currently working as intended.

1 Like

Perfect! Glad to hear that!