Problem statement
We’re building a custom UI to allow logged-in users to change their Auth0 MFA number, following this documentation: Manage Authentication Factors with Authentication API
We only have the phone number as the MFA option with either voice or text message.
Do we need to reset users’ existing MFA numbers before they’re allowed to enroll in another one?
What would be the endpoints that we’d need to call in order after obtaining the MFA token?
Solution
When using the MFA API, the procedure could be:
- User logs into their account, requesting the MFA API audience and scopes for enroll, read:authenticators, and remove:authenticators.
- User completes MFA using their existing enrolled authenticator (e.g. old phone number or via recovery code).
-
With the MFA Access token available, and using the list authenticators endpoint, the existing SMS authenticator’s ID can be found: Authentication API Explorer
-
Existing Authenticator is deleted using this endpoint: Authentication API Explorer
-
Enrolment can now be carried out for a new SMS authenticator following the steps here: Enroll and Challenge SMS and Voice Authenticators