Retrieving MFA methods for users (in bulk)

Our app has the concept of a team which has team members (which are just Auth0 users). We control who is in a team by adding a teamId to the app_metadata of a user i.e.

{
  "teamId": "e61205e0-988c-4c30-89c9-0fc82aae9fe4"
}

In our settings panel, all team members are shown and this is done by the underlying API calling the Auth0 Management API (/api/v2/users) with a lucene query of app_metadata.teamId=e61205e0-988c-4c30-89c9-0fc82aae9fe4

This works great for listing users and populating a table with info about team members.

One problem that I am currently facing is that we want to show which MFA methods each team member uses (e.g. WEBAUTHN_ROAMING or TOTP). We are a security product and this information will be important to our users. But this info is not available as part of the normal user profile and requires a separate API call (/api/v2/users/{user_id}/enrollments). In the normal profile I can see a field called multifactor but that seems to just show guardian for the MFA methods we support and does no further breakdown of the type.

This means that for each team member, a separate API call will need to be done to retrieve MFA methods for each user, which puts us at risk of exceeding the Management API rate limits.

Does anyone know if it’s possible to get the MFA methods in bulk for a set of users? Or any other ideas really. It might be worth noting that we use Auth0 as the “single source of truth” for users and team memberships. There are some places where values are cached to avoid exceeding the rate limits but storing MFA methods somewhere else would be a second-prize for us.

Hi @tyrone.erasmus,

It looks like that is the only way to access the factors at this time.

We’d loved to have your feedback on this, you can submit a ticket here:

https://auth0.com/feedback

Thanks for the the response @dan.woda. I will send feedback shortly on the link you provided

One solution that I have come up in the meanwhile makes use of the EventBridge integration.

I catch these 2 events:

  • gd_enrollment_complete - provides info on a new MFA enrollment and includes the method enrolled and user_id
  • gd_unenroll - when an MFA reset is done, this occurs and the user_id is provided

When these events occur, I use the management API to update a list inside the user’s app_metadata with their MFA methods. It’s a bit of a short-term hack but at least it will allow me to list users and get their MFA methods back in a single API call (and therefore not run into problems with rate-limiting).

1 Like

Thanks for sharing the tip! That’s a great way to get around it.