Reseting MFA does not disable it

martin6 · June 18, 2020, 12:24am

Hi,

I’m a bit confused on how to completly disable MFA for a specific user.

User enrolled in MFA using the Gardian App
In the Admin dashboard, I can see the MFA info and the text “User is enrolled on MFA. Reset MFA”
If I click “Reset MFA”. The MFA info is cleared anf the text " MFA is enabled for this user. Send an enrollment invitation" is shown.

But…

If I get the user info from the Management API endpoint (https://{{auth0_domain}}/api/v2/users/:id), the MFA info still appear as

“multifactor”: [
“guardian”
]

This element is not present for user that never enrolled into MFA.

Is it possible to clear this information from the user?

Thanks

Martin

konrad.sopala · June 18, 2020, 2:47pm

Hey there!

Let me research that for you and get back here with the news soon!

e.koning · July 23, 2020, 9:57am

Hi there, can you tell me if this actually supported (disable MFA for one particular user) ?

martin6 · August 26, 2020, 12:20pm

Hi, any update on this issue?

Thanks

konrad.sopala · September 12, 2020, 4:32pm

It is. Here’s how to do that:

konrad.sopala · September 12, 2020, 4:34pm

Hey there Martin!

Sorry for the delay in response. It seems like there’s a problem in our stack as you performed the action via UI (resetting the MFA) and then you’re checking the users using the API and the UI tells one thing while the API tells the other. I submitted it as an internal engineering ticket and will update you on this one as soon as I have any info about the fix from the engineering team. Sorry for the inconvenience!

e.koning · September 14, 2020, 7:14am

Hi Konrad,

Thank you for your reply. This procedure will remove the MFA, but it’s only temporarily. As soon as the user tries logging in again he will need to setup MFA again.

I was asking this question because we’re trying to do automated tests with Cypress for our application. Using a predefined user for that scenario is doable, but when this user’s MFA is enabled, things become really hard.

konrad.sopala · September 14, 2020, 9:58am

Gotchya! I don’t have much of experience with Cypress but maybe if you can share that in this thread which is about end-to-end testing with Cypress somebody will be able to guide you:

franciscop · October 12, 2020, 5:44pm

Hello,
Any updates about this issue?
I having this issue testing an authentication flow that i’m developing for my company that uses 2mfa. I’m using guardian-js1.3.2 in the custom mfa_page, and after reset the mfa, the user can’t enroll again, it returns a conflict error.
Any help would be great!
Thanks.

e.koning · October 20, 2020, 10:13am

@franciscop I believe that that is by design. It looks like there’s a possibility to check if the user was already enrolled.
“2. (optional) Check if the user is already enrolled. You cannot enroll twice.”

franciscop · October 20, 2020, 8:29pm

Hi @e.koning, thanks for answer. I already found a solution with the auth0 support team. I leave here the solution:

I had the Email MFA enabled and by the docs this only works in New Universal Login. While I had ‘New’ toggled on in the Dashboard, i have turned on customizations which actually reverts it back to Classic Universal Login that does not support Email MFA.
So, by the support team suggestion i turned off the Email MFA toggle in the Multifactor Auth tab of the Dashboard but leaving SMS on, then i cleared the user’s MFA again and all started to work fine.

Best regards,
Francisco

konrad.sopala · October 21, 2020, 1:39pm

Thanks for sharing that with the rest of community!

system · November 5, 2020, 1:39pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.