Reseting MFA does not disable it

Hi,

I’m a bit confused on how to completly disable MFA for a specific user.

• User enrolled in MFA using the Gardian App
• In the Admin dashboard, I can see the MFA info and the text “User is enrolled on MFA. Reset MFA”
• If I click “Reset MFA”. The MFA info is cleared anf the text " MFA is enabled for this user. Send an enrollment invitation" is shown.

But…

If I get the user info from the Management API endpoint (https://{{auth0_domain}}/api/v2/users/:id), the MFA info still appear as

“multifactor”: [
“guardian”
]

This element is not present for user that never enrolled into MFA.

Is it possible to clear this information from the user?

Thanks

Martin

Hey there!

Let me research that for you and get back here with the news soon!

Hi there, can you tell me if this actually supported (disable MFA for one particular user) ?

Hi, any update on this issue?

Thanks

It is. Here’s how to do that:

Hey there Martin!

Sorry for the delay in response. It seems like there’s a problem in our stack as you performed the action via UI (resetting the MFA) and then you’re checking the users using the API and the UI tells one thing while the API tells the other. I submitted it as an internal engineering ticket and will update you on this one as soon as I have any info about the fix from the engineering team. Sorry for the inconvenience!

Hi Konrad,

Thank you for your reply. This procedure will remove the MFA, but it’s only temporarily. As soon as the user tries logging in again he will need to setup MFA again.

I was asking this question because we’re trying to do automated tests with Cypress for our application. Using a predefined user for that scenario is doable, but when this user’s MFA is enabled, things become really hard.

Gotchya! I don’t have much of experience with Cypress but maybe if you can share that in this thread which is about end-to-end testing with Cypress somebody will be able to guide you:

Hello,
Any updates about this issue?
I having this issue testing an authentication flow that i’m developing for my company that uses 2mfa. I’m using guardian-js1.3.2 in the custom mfa_page, and after reset the mfa, the user can’t enroll again, it returns a conflict error.
Any help would be great!
Thanks.

@franciscop I believe that that is by design. It looks like there’s a possibility to check if the user was already enrolled.
“2. (optional) Check if the user is already enrolled. You cannot enroll twice.”

Hi @emiel, thanks for answer. I already found a solution with the auth0 support team. I leave here the solution:

I had the Email MFA enabled and by the docs this only works in New Universal Login. While I had ‘New’ toggled on in the Dashboard, i have turned on customizations which actually reverts it back to Classic Universal Login that does not support Email MFA.
So, by the support team suggestion i turned off the Email MFA toggle in the Multifactor Auth tab of the Dashboard but leaving SMS on, then i cleared the user’s MFA again and all started to work fine.

Best regards,
Francisco

Thanks for sharing that with the rest of community!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.