Prepopulated mobile number for SMS MFA

nitin_goenka2003 · March 15, 2021, 12:02pm

Hi,

I am very new to Auth0, my requirement was to achieve passwordless signup via email and then kick MFA via SMS.

I am able to send an email (passwordless signup), when I clicks on the URL received, I want to kick MFA via SMS, for that I am redirecting to below URL in the callback:

/authorize?client_id=<>&response_type=code&redirect_uri=http://localhost:8080/callback2&scope=openid profile email phone&connection=sms&prompt=login"

But it is unable to kick MFA screen and throw below error:
“no phone number or no verification code being provided.”,

Also I want the customer phone number must be pre-populated in the MFA screen.

Could you please help me ?

Thanks,
Nitin

supun · March 15, 2021, 12:16pm

Welcome to Auth0 Community, @nitin_goenka2003 ,

By SMS MFA, are you trying to reauthenticate the user using Passwordless SMS? I don’t think that’s possible.

Please refer to Auth0’s documentation on MFA here: Multi-Factor Authentication (MFA).

You can enable SMS MFA by navigating to Security → Multi-factor Auth section in your Auth0 dashboard.

AFAIK, it’s not possible to pre-populate the user’s phone number in the MFA screen as well.

Hope this helps. Please let us know if you have further questions!

nitin_goenka2003 · March 15, 2021, 12:27pm

Thanks @supun for the prompt response,
So the objective is to achieve passwordless signup via email but we are adding one more authentication factor before user signup and that is via SMS. User has to input the 6 or 8 digit code received in his/her mobile number.

So first, we are creating a user via /api/v2/users API with below payload:
{
“email”: “nitin.goenka.ext@partners.axa”,
“phone_number”: <customer_mobile_number>,
“blocked”:false,
“email_verified”:false,
“phone_verified”:true,
“given_name”:“Nitin”,
“family_name”:“Goenka”,
“connection”:“sms”,
“verify_email”:false
}

and then invoke another API /passwordless/start with below payload, to send an email to the customer for the signup:

{
“client_id”: ,
“client_secret”: valid client_secret,
“connection”: “email”,
“email”: “nitin.goenka.ext@partners.axa”,
“send”: “link”,
“authParams”: {
“redirect_uri”: “http://localhost:8080/callback”,
“response_type”: “code”,
“scope”: “openid profile email”
}
}

(We also create one rule in the Dashboard to merge the accounts via user email, primary account connection will be “sms”)

When the user clicks on the link received, accounts will get merged and in the above callback URL, we want to kick MFA via SMS by redirecting to below URL:

Are we missing something to pass before redirecting to the below URL ?

/authorize?client_id=<>&response_type=code&redirect_uri=http://localhost:8080/callback2&scope=openid profile email phone&connection=sms&prompt=login"

We don’t want customer to enter the mobile number for the security reasons.

Could you please have a look again?

Thanks,
Nitin