Null Recovery Code value on second code request

Problem statement

We have our own custom MFA page setup that uses the Auth0 MFA API. We generate Recovery Codes for our users and send them through our own email service. If a user did not receive the email for any reason, they can try to have it resent, but this second attempt generates a Recovery Code with a value of Null.

Cause

The null Recovery Code in the second attempt came from your backend. The first time they make a call to generate a recovery code in their app, their backend calls the ‘/mfa/associate’ endpoint to enroll the email authenticator for the user:

https://auth0.com/docs/secure/multi-factor-authentication/authenticate-using-ropg-flow-with-mfa/enroll-and-challenge-email-authenticators#enroll-authenticator

The first time you call this endpoint, you get a response like this one:


{
"authenticator_type": "oob",
"binding_method": "prompt",
"oob_code" : "ABC****",
"oob_channel": "email",
"recovery_codes": [ "XYZ**************************" ]
}

But if the user does not receive the email with the binding_code, and they try again (click on the “Resend” link), the next time they call ‘/mfa/associate’ they won’t receive another recovery code, and this is by design, you one get the recovery code once. That’s why their custom implementation shows a null value.

Solution

The solution for this is to regenerate the recovery codes for that user if you don’t receive “recovery_codes” in the response:

https://auth0.com/docs/secure/multi-factor-authentication/manage-mfa-auth0-apis/manage-authenticator-factors-mfa-api#regenerate-recovery-codes