I want to implement multi factor authentication in my application. I send an enrollment email to the user, and when they click on the enrollment link in the email, they are taken to an Auth0 universal login-esque page to enroll their phone number. However, as part of the SLAs with our company clients, all of their user’s email and phone numbers provided to us are assumed to be verified. Thus, we do not want the users to enter their own phone numbers when enrolling for multi factor authentication because of the possibility that they might enter a number different from the one given to us by our clients (i.e. the user’s employers).
So, I have two questions in this regard:
-
Can we enroll users directly using the management API without any interaction from the users themselves? I have tried setting a user’s phone number using the management API but it says that only users with SMS connections (i.e. passwordless login users) can be assigned phone numbers using the management API. Our connection type is database.
-
Is there any way to disable the option for the user to enter any phone number when enrolling for multi factor authentication, thus allowing us to enter the phone number of the user that was given to us by the user’s employers, in the Auth0 enrollment web page after the user clicks on the enrollment link it the email.
I have looked up the auth0-guardian JS library as well to implement this functionality manually in my front end application, but I am unable to user that library because I am unable to initialize it without a request token or ticket. The documentation is not clear on how to get either of these.