Problem statement
We have our own custom MFA page setup that uses the Auth0 MFA API. We generate Recovery Codes for our users and send them through our own email service. If a user did not receive the email for any reason, they can try to have it resent, but this second attempt generates a Recovery Code with a value of Null.
Cause
The null Recovery Code in the second attempt came from your backend. The first time they make a call to generate a recovery code in their app, their backend calls the ā/mfa/associateā endpoint to enroll the email authenticator for the user:
The first time you call this endpoint, you get a response like this one:
{
"authenticator_type": "oob",
"binding_method": "prompt",
"oob_code" : "ABC****",
"oob_channel": "email",
"recovery_codes": [ "XYZ**************************" ]
}
But if the user does not receive the email with the binding_code, and they try again (click on the āResendā link), the next time they call ā/mfa/associateā they wonāt receive another recovery code, and this is by design, you one get the recovery code once. Thatās why their custom implementation shows a null value.
Solution
The solution for this is to regenerate the recovery codes for that user if you donāt receive ārecovery_codesā in the response: