Retrieving a List of Users with a Specific MFA Enrollment

Problem statement

How can a list of users be retrieved with a specific type of MFA enrollment (otp, sms, etc…)?

Solution

There is a single endpoint that will be able to return this data, but there is still a way to retrieve it.

First, query a user via Management API and check if the user.multifactor array is not empty.

There are two ways to accomplish this:

  1. Use the User search endpoint to fetch all existing users and process the response in the backend by checking if the user profile has items under user.multifactor array, e.g.: This will actually just say “guardian” if the user is enrolled in any MFA, or be empty if they are not.
"multifactor": [
        "guardian"
    ],
  1. Export all users using the User Export endpoint and process it in a similar way through the backend.

To then check what authenticators user is enrolled with, make additional calls for each of the users with the /api/v2/users/{id}/authentication-methods​ endpoint.

The type property will show what authenticators users are enrolled with:

[recovery-code, totp, push, guardian, sms, phone, email, webauthn-roaming, webauthn-platform]

There is no single endpoint with this data because the MFA details reside in a database different from where the users reside.

When creating a script, be sure to take account of the rate-limiting headers so the script runs smoothly:

  • x-ratelimit-limit: The maximum number of requests available in the current time frame.
  • x-ratelimit-remaining: The number of remaining requests in the current time frame.
  • x-ratelimit-reset: A UNIX timestamp of the expected time when the rate limit will reset.