Switching between MFA's

Hi Team,

Is there any way to allow the user to switch between MFA’s after completing signup with one of the MFA’s.

For example while signup let’s assume that the user enrolled in Google authenticator and after sometime they want to switch to some other MFA like SMS/Recovery code.

Hi @sishwarya10 ,

Welcome to the Auth0 Community!

Is there any way to allow the user to switch between MFA’s after completing signup with one of the MFA’s.

Yes, after the users sign up , when they sign in, the default MFA is the Google authenticator. By clicking on the “Try another method” → “SMS” → entering the phone number, they can log in. And after that, the default MFA is set to SMS. They can click on “Try another method” if want to switch to a different MFA factor.

Hope this helps!

2 Likes

Thanks for the reply @lihua.zhang

But the thing is, will we be allowed to change between MFA’s while logging in?

For example, I have enabled SMS, Google Authendicator and another one MFA. At the time of sign up it allows me to switch between SMS and Google Authenticator using try another method. From here I tried two scenarios

  1. Setting up SMS while signup
  2. Setting up Google Authenticator while signup

In both scenarios, when I enter into login, I received only one MFA which I have selected during signup process.

Are there any possibility to register in both SMS and Google authenticator while signup?

[Note: When I have enabled Recovery code as one of the MFA I’m able to switch between MFA’s during signup and login as well. But it is not possible to switch between SMS and Google Authenticator]

This topic was automatically closed after 12 days. New replies are no longer allowed.

Hi @sishwarya10 ,

I Apologize for the delay.

I discussed this topic with my team internally. Actually we can use the MFA API to enroll the user in the 2nd factor. For example, if the user is already enrolled in Google Authenticator, to enroll SMS factor, here are the details.

1.Pass the access token to enroll the SMS authenticator.

curl --request POST \
  --url '{YOUR_DOMAIN}/mfa/associate' \
  --header 'authorization: Bearer {ACCESS_TOKEN}' \
  --header 'content-type: application/json' \
  --data '{ "authenticator_types": ["oob"], "oob_channels": ["sms"], "phone_number": "+15551234567" }'

This request will return the oob_code like below:

{“authenticator_type”:“oob”,“binding_method”:“prompt”,“oob_channel”:“sms”,“oob_code”:“Fe26.282dcca00….MoJZ1Q3k”}

And on the phone, receive the 6 digits binding_code.

2.Confirm SMS enrollment with the access token and oob_code and binding_code.

curl --request POST \
  --url '{YOUR_DOMAIN}/oauth/token' \
  --header 'authorization: Bearer {ACCESS_TOKEN}' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data 'grant_type=http://auth0.com/oauth/grant-type/mfa-oob' \
  --data 'mfa_token={ACCESS_TOKEN}'\
  --data 'client_id={YOUR_CLIENT_ID}' \
  --data ‘client_secret={YOUR_CLIENT_SECRET}’ \
  --data 'oob_code={OOB_CODE}' \
  --data 'binding_code={6_DIGIT_CODE}'

3.Verify on the user setting and login as the user, you will see both factors are added.

This article explains the details. Please let me know how it goes. Thank you!

BTW, we created this FAQ recently regarding how to enroll a user in multiple authentication factors using MFA API. It might be helpful to your use case.

This topic was automatically closed after 10 days. New replies are no longer allowed.