Multi Factor Authentication Association

Hi,

I am registering an MFA as per the documentation at Enroll and Challenge OTP Authenticators

HttpResponse<String> response = Unirest.post("https://[DOMAIN_NAME]/mfa/associate")
		  .header("authorization", "Bearer "+mfa_token)
		  .body("{ \"authenticator_types\": [\"otp\"] }")
		  .asString();

However, I receive this wierd error all the time. Please help.

{“error”:“invalid_request”,“error_description”:“authenticator_types must be an array”,“error_uri”:400}

Hey @srikanth.kaleshwaram, do you receive this error every time or is it intermittent? If it’s intermittent, what’s the work flow to recreate it? I just want to understand more of what may be going on. Thanks in advance!

@James.Morrison
Re:
However, I receive this wierd error all the time. Please help.

The issue occurs all the time.

@James.Morrison, The issue is resolved by adding content-type attribute in the header to application/json.

When I list the authenticators, below is the response. How do I set the authenticator/s active flag to true to proceed with issuing a challenge?

[{“id”:“recovery-code|dev_7sCXgHBIZcxlzg7p”,“authenticator_type”:“recovery-code”,“active”:false}]

I’m glad to hear that you were able to get the initial issue resolved. I have included some documentation relating to the authenticator active call. Please let me know if this continues to help you on your quest.

https://auth0.com/docs/multifactor-authentication/api/manage#list-authenticators

https://auth0.com/docs/multifactor-authentication/api/otp#3-confirm-the-authenticator-association

@James.Morrison, I have followed the docs mentioned. Calling the /mfa/authenticators end point returns the list of authenticators but the status of them is false.

[{“id”:“recovery-code|dev_7sCXgHBIZcxlzg7p”,“authenticator_type”:“recovery-code”,“active”:false}] How do I activate the authenticator or set the active flag to true? Thanks!

I will find out for you @srikanth.kaleshwaram and let you know. Thanks!

After talking with our support team @srikanth.kaleshwaram I was able to find out that in general, authenticators are confirmed (and marked as active) after first use. The recovery-code will get confirmed once you confirm your first authenticator.

In case of One Time Password Authenticator, you need to use it at least once (during enrollment) for it (and the recovery code) to be come active.

Authenticators not marked as active won’t be challenged during MFA, so you won’t be actually enrolled in MFA until you have at least one authenticator marked as active. I hope this helps provide some insight. Please let me know if you have any additonal questions on the subject.

I wanted to touch base with you @srikanth.kaleshwaram and see if this helped answer your question? Thanks in advance!

None Jim. Thanks for the info :slight_smile:

Sounds great and please let me know in the future if you have any additional questions!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

We have created a FAQ related to this topic. Please check it out ~ How to Enroll a User in Both Google Authenticator and SMS with MFA API