MFA Email factor failed for second time

I tried to use MFA Email factor successfully for the first time. (login, enroll authenticators, and confirm authenticators)
But It was failed when I tried for the second time with error with 2 attributes of multifactor_last_modified,multifactor:

    "error": "access_denied",
    "error_description": "Payload validation error: 'Additional properties not allowed: multifactor_last_modified,multifactor (consider storing them in app_metadata or user_metadata. See \"Users Metadata\" in for more details)'."

The expected result should be a json with error message that mfa_required.

I did enabled 2FA via Rule by the code:

function multifactorAuthentication(user, context, callback) {
  You can trigger MFA conditionally by checking:
  1. Client ID:
  context.clientID === 'REPLACE_WITH_YOUR_CLIENT_ID'
  2. User metadata:

  if (context.clientID === 'm2tMUuWeq3RoLk8CQGJmC4jnziuFoY2b') {
    context.multifactor = {
      provider: 'any',

      // optional, defaults to true. Set to false to force authentication every time.
      // See for details
      allowRememberBrowser: false

  callback(null, user, context);

Configuration on Tenant: ( Never so that the Rule will be applied by Application)

Configuration on Application:

I’ve checked the log and saw that there is an “Api update user” after successfully confirmed the challenge. And that seem this update cause error.

Can you please help that I missed something? Or how can I overcome this issue?

Solved in this reply

1 Like

Perfect! Thanks for sharing it with the rest of community!

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.