Match inbound SMS phone numbers for MFA enrollments with Auth0 user accounts

Problem statement

We run a busy call center and would like to interrogate an inbound MFA ( SMS ) authentication session and match it with the Auth0 user account (s). This operation needs to be performed dynamically in real time.

Solution

Auth0 does not provide any direct API that could facilitate interrogating an inbound SMS, extracting the number, and matching it to one or more Auth0 user accounts. Please Note that we need to account for the possibility that the same phone number may be associated with multiple accounts.

The first part of the challenge relates to the interrogation of the inbound SMS message. This would be specific to the call-center software/architecture. The majority of systems offer some customization and could make an API request with an incoming call to a database. So as a first step, you should check the documentation of the call-center product.

Assuming that the call-center software provides this functionality, possible options are:

  • If the call-center software has an event-driven architecture, an incoming call could trip an event that calls the Auth0 Management API and returns a customer account, but that’d live in the call-center software.

  • You could build a micro app where the call-center agent could manually enter a number and see responses from the Management Auth0 API

The relevant Management API call would be for User Search, in which it would be possible to search the Auth0 database for the SMS phone number ( GET /api/v2/users ). However, this is limited to retrieving 1000 users and may trigger rate-limiting in some scenarios.
https://auth0.com/docs/troubleshoot/customer-support/operational-policies/rate-limit-policy
Therefore this could be suitable for only low-call volumes and small data sets.

Another approach might be to export the current set of user accounts:

https://auth0.com/docs/manage-users/user-migration/bulk-user-exports

Then extracts the user_id and SMS phone_number ( which may be null if not enrolled for MFA) and store these in an external database. Please note that care should be taken to distinguish between SMS used for Passwordless and MFA.

Once you have an external database of user_ids and their related SMS-MFA numbers, it should be possible to use an Action to capture a newly registered user’s user_id and store it in an external database. Then when the user registers for MFA and attempts to log in, you could capture the SMS phone number using the Event Object phone_number attribute

You could then match this to the user_id in the external database.

There may be other ways to implement this functionality, though this would be a good starting point.

Note that due to the large number of call-center products on the market, this would be an ideal project for a Professional Services engagement. As they may have implemented this type of functionality in previous projects. Here is how to contact our Professional Services team.