Required SMS MFA Enrollment (Twilio) using Phone Number Collected via Progressive Profiling Action/Form

Get Help
,
1

Hi Auth0 community,

I’m implementing a required Multi-Factor Authentication (MFA) step using SMS to verify users immediately after sign-up. We want this to be a core part of our onboarding to ensure real user identity verification before platform entry.

We currently use a Progressive Profiling Action + Forms flow to collect crucial data before the user’s first full login:

  1. User’s phone number (stored in user_metadata.phone.number as E.164 string).

  2. Legal consent for application updates (stored in user_metadata.consent_terms_and_conditions).

Our core problem is leveraging this pre-collected phone number for the required SMS MFA enrollment. We are using Twilio as our SMS provider.

This is the guide I used to setup our profiling form: https://auth0.com/docs/customize/forms/configure-progressive-profile-form

After the custom form is submitted and the user_metadata is updated, I am trying to use a Post-Login Action to force MFA enrollment:

I am using api.authentication.enrollWith({ type: "phone", ... }) to trigger the standard Auth0 SMS flow.

Is there a prescribed method to bridge the phone number collected in a custom form so that Twilio/SMS MFA can seamlessly use it for required enrollment? I’d like to achieve a unified, smooth user experience without requiring the user to type their number twice.

Any guidance on the correct Action API methods or flow configuration would be greatly appreciated.

Thanks!

3

Hi @seangolob

Welcome back to the Auth0 Community!

I will be taking a look at the issue that you are having and will come back with an update ASAP.

Kind Regards,
Nik

1 Like
4

Hi again @seangolob

Regarding the SMS configuration, it can be quite hard to achieve a seamless experience for the user when using progressive profiling or if the phone number attribute is added to your database. The main issue is that Auth0 is basically configured to allow users to enroll into MFA using a different phone number than the one that is set on their account which creates the extra step of ‘confirming’ their newly added phone.

The simplest and closest thing that can help you achieve your desired flow would be to use the Management API in your Progressive Profiling Form to create an authentication method for the given user, basically you would be automatically enrolling them using the phone number collected in the form and once the form flow is completed, they should be challenged directly via your action. The only issue this approach presents is that if they used the wrong phone number, the user will not be able to change it directly.

If you have any other questions, please let me know!

Kind Regards,
Nik