Hello, please excuse me if your problem is no longer relevant but I hope my post can help someone else. First of all, I can’t tell why retrieving a list of authenticators doesn’t work for you but I made a demo app where a user can manage his own authenticator (add new ones or remove the old ones) but only if he still has access to one of existing MFA devices. There are 2 problems with this approach: it’s not really a “reset” (admin still has to do it manually) and you can’t delete your “recovery-code” device this way because Auth0 will return “You cannot delete a recovery-code authenticator” error.
The good news is that you can delete all MFA devices for a user (basically your initial goal) by first listing them using GET /api/v2/users/{id}/enrollments method and then deleting them one-by-one using DELETE /api/v2/guardian/enrollments/{id} method. Please note that the first method (get enrollments) doesn’t use the same format as “get authenticators”. For example, it won’t show a “recovery-code” device, but it will delete it along with the factor that was created first (and caused recovery code to be created). But if user deletes every factor except recovery code then this method won’t work either and you will have to use manual reset on Auth0 website. I find this whole system very confusing.