Hello, despite extensive research and reviewing all available resources, I’m still unclear on how to implement resetting MFA after using a recovery code. Providing the best user experience is our priority. Can anyone please let me know that if this functionality is feasible with Auth0.
Here’s the scenario:
- Users undergo an onboarding process where they set up MFA (no issues here).
- Subsequent logins require MFA (OTP) established during onboarding, along with access to a recovery code.
- If a user loses their device, we want them to utilize the recovery code. Upon using it, Auth0 responds with an access token. At this point, we aim to compel the user to establish new MFA (deleting the old one and setting up a new one). We can delete the old MFA using the Management API. However, the access token received from the recovery code login lacks the enroll scope.
Is it impossible to achieve this without requiring the user to log in again to set up MFA? Additionally, must we delete the recovery code authenticator to prevent Auth0 errors during the enrollment process, indicating the user is already enrolled?