User managed MFA

I have a few questions regarding MFA

1. Is it possible for users to manage their own MFA? Once enrolled, it doesn’t seem they can change MFA devices, or handle anything related to it. Is the only option for us to reset their MFA under the user?
2. Can users set 2 MFA hardware devices (one is primary, one for backup)?

Thank you.

Hi @eric.nissan,

1. You’re right, you can have users select a Factor if you enabled several AND if you enabled the “show multi-factor authentication options” setting under Security > Multi-factor auth (in your Auth0 dashboard). However, modifying these settings or deleting MFA methods needs to be done by Tenant members.

Alternatively, since the Management API offers several methods to add/remove/modify factors, you could automate this in your own workflows using this API or even create your own self-service app/interface for users to do it themselves. Available methods are listed in our Management API reference under the “Users” section. (example: POST /api/v2/users/{id}/authentication-methods)

2. Yes you can add several factors / devices but I’m not aware of a concept of Primary or Secondary devices. For this I can only guide you to file a feature request.

Thanks for helping on this one @sylvainf !

Thanks, yes, I did select that. The user than picked one (hardware mfa). When I went to the user, I saw they had both the hardware mfa and email selected. Is email somehow the default?

You always need a backup for MFA. When using hardware MFA specifically the recommendation is to have a backup hardware key, in case you lose the original one).

it’s very unclear what the rules are here. Is it a deliberate reason to not natively implement allowing users to manage their own MFA methods? Would be a bit of an effort to have us build a user interface for that. just my .02. Appreciate the reply.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.