Retrieving MFA methods for users (in bulk)

tyrone.erasmus · January 13, 2021, 1:05pm

Our app has the concept of a team which has team members (which are just Auth0 users). We control who is in a team by adding a teamId to the app_metadata of a user i.e.

{
  "teamId": "e61205e0-988c-4c30-89c9-0fc82aae9fe4"
}

In our settings panel, all team members are shown and this is done by the underlying API calling the Auth0 Management API (/api/v2/users) with a lucene query of app_metadata.teamId=e61205e0-988c-4c30-89c9-0fc82aae9fe4

This works great for listing users and populating a table with info about team members.

One problem that I am currently facing is that we want to show which MFA methods each team member uses (e.g. WEBAUTHN_ROAMING or TOTP). We are a security product and this information will be important to our users. But this info is not available as part of the normal user profile and requires a separate API call (/api/v2/users/{user_id}/enrollments). In the normal profile I can see a field called multifactor but that seems to just show guardian for the MFA methods we support and does no further breakdown of the type.

This means that for each team member, a separate API call will need to be done to retrieve MFA methods for each user, which puts us at risk of exceeding the Management API rate limits.

Does anyone know if it’s possible to get the MFA methods in bulk for a set of users? Or any other ideas really. It might be worth noting that we use Auth0 as the “single source of truth” for users and team memberships. There are some places where values are cached to avoid exceeding the rate limits but storing MFA methods somewhere else would be a second-prize for us.

dan.woda · January 13, 2021, 11:05pm

Hi @tyrone.erasmus,

It looks like that is the only way to access the factors at this time.

We’d loved to have your feedback on this, you can submit a ticket here:

Auth0: Secure access for everyone. But not just anyone.

tyrone.erasmus · January 15, 2021, 12:00pm

Thanks for the the response @dan.woda. I will send feedback shortly on the link you provided

One solution that I have come up in the meanwhile makes use of the EventBridge integration.

I catch these 2 events:

gd_enrollment_complete - provides info on a new MFA enrollment and includes the method enrolled and user_id
gd_unenroll - when an MFA reset is done, this occurs and the user_id is provided

When these events occur, I use the management API to update a list inside the user’s app_metadata with their MFA methods. It’s a bit of a short-term hack but at least it will allow me to list users and get their MFA methods back in a single API call (and therefore not run into problems with rate-limiting).

dan.woda · January 15, 2021, 4:49pm

Thanks for sharing the tip! That’s a great way to get around it.

system · January 30, 2021, 4:49pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Can we use "/api/v2/users/{userId}/authenticators" (GET/POST) calls since it is not publicly doumented Help mfa	1	1903	August 22, 2022
Retrieve Complete User Profile using Management API Knowledge Articles profile , management_api	1	135	June 14, 2024
Reset MFA via Management API Help mfa , mfa-api	2	14	October 31, 2024
Reset our app user MFA with Management API Help mfa , management-api , mfa-api	7	3253	March 9, 2023
Retrieve All Authenticators for Certain User Knowledge Articles api , mfa , enrollment , management-	1	2945	June 17, 2022

Retrieving MFA methods for users (in bulk)

Related Topics