We are having difficulty enrolling users in MFA using One-time passwords. When we use the invitation link from a user details page it generates an email with the link to enroll but that page shows a “not found” error.
We have previously used this to enroll users into MFA on request, but it is not working now. This is happening with multiple tenants, and if we remove MFA from a user account and try to re-enroll them, it also generates a bad link or ticket id for enrollment.
I tried using POSTMAN to generate the ticket through the API and also received an email for enrollment with a bad link/ticket id.
We use the classic login form, by design as we have some customization in place that we prefer for the look of our login form. So any way to generate a valid ticket id while using the classic form would be preferred.
Thanks!
Hi @matharrison
Welcome to the Auth0 Community!
Could you please let me know what endpoints are you using to enroll your users to MFA?
The issue might be caused by the fact that the generated tickets redirect the user to a New UL screen, whereas you are using Classing Login, arriving to the error page you have mentioned.
If you are using the guardian/post-ticket endpoint, it stated that:
Parameter can only be used with Universal Login; it cannot be used with Classic Login or custom MFA pages.
As a suggestion, you can create a custom enrollment flow where you are generating and sending a OTP to the email. If they enter the correct code, you will “enroll” them by creating the MFA factor using the Management API.
Alternatively, you can attempt to enroll these users via Actions by adding flags to their accounts such as needs_mfa: true in their app_metadata.
Kind Regards,
Nik
We have traditionally enrolled users to MFA by simply clicking the “Send an enrollment invitation” link within a user’s details page.
The link generated in that email is what now returns a “Not found.” error message.
I used the management api end point POST: “https://api/v2/guardian/enrollments/ticket” with my user and it generated an invitation email that also had a link to a “Not Found” error.
If that method is only usable with the Universal Login, then that action has changed because we’ve previously been able to use the link from the page.
I can try the alternative methods you’ve suggested but it is disappointing that existing functionality has been broken.
Thanks for providing the extra info!
I will double check the process and come back with an update ASAP regarding the matter.
Kind Regards,
Nik
I was able to add enroll my user using the API, POST /api/v2/users/<user_id>/authentication-methods
{
"type": "totp",
"name": "otp",
"totp_secret": "<base32 encoded string>"
}
But is there a way to then send an enrollment email to more easily add that to my authenticator application? I was able to manually add it by typing in the base32 string as a new entry in authy and that works, but my users are going to complain about typing that.
Hi again!
As far as I have investigated, it appears that the specific endpoint that the Dashboard uses is not available for Classic Login due to the ticket generated redirecting the user to a standard guardian enrollment screen instead of an enabled MFA factor within the tenant.
As I have mentioned above, one of the options to enroll these users would be to do it through the mentioned Management API endpoint.
Otherwise, one other flow, which might come with some complications, would be to use the ROPG flow with MFA.
Basically, depending on your MFA policies within the tenant, you will need to generate an MFA token for these types of users in order to enroll them using the Authentication API.
Since you are looking to enroll these users outside of the usual MFA flow during login, you will need to build a custom page which handles this behaviour in order for the user to receive and provide the otp for enrollment.
A much simpler approach however would be to add a flag inside the app_metadata of the user whenever they want to enroll into MFA and prompt re-authentication so that they can simply enroll through the MFA page of the Classic Login.
Hope the information above is helpful!
Kind Regards,
Nik
I think this gives me a better path for my users, I’ve tested adding a “needs_mfa” tag to my app_metadata and then using my login flow actions to check for that flag and no existing MFA to direct the user to the OTP enrollment.
Thanks for your help!
Mat
