Feature: Return “link_id” in push’s fallback totp factor from GET /mfa/authenticators API response
Description:
Given that the tenant has been enabled 3 MFA factors: Push Notification, OTP and Recovery Code.
From Web/Apps, we are trying to build a User Profile page which includes “Two-factor authentication” section, Inside that section, user can see enrollment status of:
- Push notification (with fallback TOTP code)
- Regular TOTP
If a user enrolled into 2 factors, which are “Push notification” and “TOTP”, by getting authenticators from Auth0 Authentication API, It returns 2 “totp”s, one is “Push’s fallback totp” and another one is “regular TOTP”. There is no field to help Clients (web & apps) to determine which is “fallback totp”, which is “regular TOTP”.
We need to determine the right TOTP to show the right enrollment status and also let user un-enrolls the right “regular TOTP”
For example: the response from GET https://{domain}/mfa/authenticators
[
{
"id":"push|dev_xmTNN64R6vbZGw88",
"authenticator_type":"oob",
"active":true,
"oob_channel":"auth0",
"name":"Emulator samsung S21"
},
{
"id":"totp|dev_4IXxLVGYsK7YV6Nv",
"authenticator_type":"otp", <--- No clue to determine this is Push's fallback totp
"active":true
},
{
"id":"recovery-code|dev_yQglRdhIedFQFUIX",
"authenticator_type":"recovery-code",
"active":true
},
{
"id":"totp|dev_hZyecPTrrAX05DHY",
"authenticator_type":"otp", <--- Regular TOTP, but can't distinguish with Push's fallback totp above
"active":true
}
]
Use-case: As mentioned in the description, we are building the User Profile page with “Two-factor authentication” section in our apps/web. We are aware that we can get the “link_id” info by using Management API (same goes for the guardian_authenticators info on Tenant’s User Management as image below). But we avoid using Management API because:
- Using Management API from our backend: rate limiting issue
- Using Management API from web/apps: risky, basically using “root access”, It opens a security hole.
