MFA API doesn't return recovery_codes

t.fukao · May 1, 2025, 4:41am

I’m trying to enroll a user’s authenticator using the MFA API.

$response = Http::withHeaders([
    'Authorization' => 'Bearer ' . $request->mfa_token,
    'Content-Type' => 'application/json',
])->post('https:// { MY_DOMAIN } /mfa/associate', [
    'authenticator_types' => ['otp'],
]);

According to this, the response should inclueds the recovery_codes.
However, I’m not seeing any.

{
    "authenticator_type": "otp",
    "secret": "******",
    "barcode_uri": "otpauth://totp/******"
}

I’m using the following method to check if it’s the user’s first authenticator association.
The MFA API is used only when it results in false.

$get_factor_api = Auth0::management()
    ->users()
    ->getAuthenticationMethods(
        user: Auth::id(),
    );
    $get_factor_api_response = json_decode($get_factor_api->getBody()->getContents());

    return count($get_factor_api_response) > 0 ? true : false;

( I’m using the laravel-auth0 )

The scopes in the MFA token are openid, profile, email, enroll and offline_access.

Is there something wrong?

t.fukao · May 1, 2025, 6:17am

I’ve found the solution.
Dashboard → Security → Multi-factor Auth, and toggle Recovery codes on.

Topic		Replies	Views
Only one recovery code generated while enrolling to mfa Get Help mfa , recovery-code-factor	2	41	January 21, 2025
Multi Factor Authentication Association Get Help	12	5413	June 30, 2022
Use api.authentication.enrollWithAny to Enroll in Recovery Code after Enrolling in Another Factor Knowledge Articles actions , recovery-code , multifactor-authentication , apiauthenticationenrollwith , apiauthenticationenrollwithany	1	74	November 15, 2024
MFA management issues Get Help mfa	2	3045	July 28, 2022
Reset MFA after recovery code Get Help mfa , recovery-code-factor	2	362	January 7, 2025

MFA API doesn't return recovery_codes

Related topics