MFA email unreliable since offline access was activated

Sorry if my post lacks information, we’re still investigating and it’s hard to gather information since we’re not receiving specific errors (or any, actually).

We’ve been using MFA throught email for a while (i wasn’t working on the projet at its begining, but we’ve been using it reliably between a few months to a year), but since 2 days ago it became unreliable for all users.
Any user will randomly not receive the MFA code during authentification, despite receiving no errors on our API (and the email is not sent in spam). Basically, from our point of view, everything “works”, yet no email is received. There also seems to be no constant on when it fails; i can login successfully 20 times in a row, and sometimes i can’t even login once without it failing.

The only thing that changed was our implementation of the refresh_token, which requires activating “offline access” and “refresh token rotation” on our auth0-API. It might be a coincidence, but the MFA problem arrived exactly at the same time.

For our implementation, we’re using the resource_owner_grant handled directly from our API, handling login, login-with-mfa, and recently the refresh_token with rotation.

  1. When the user logs in, an error is generated since MFA is required, triggering the email process.
  2. The user receives the MFA code, and proceed to actually log-in
  3. After 24h (or receiving a 401 from our API), the refresh token is exchanged for new access+refresh tokens

The refresh_token itself works fine, the problem is specifically on the login process (step 1).

Hoping you can help us shed light on the matter,
thanks a lot

I was able to test different configurations outside of our client’s work hours, and it seems the problem persists even witout “offline_access” and “rotation” activated, so it might be a pure coincidence that both happenned at the same time.

I would still like to know what can cause errors on the MFA side because it’s creating a lot of frustration on their end.