Problem Statement
We set up a rule to enforce MFA.
context.multifactor = {
provider: 'google-authenticator'
};
And after the user logs in and enrolls with MFA TOPT, the user profile has the details:
"multifactor": [
"google-authenticator"
],
We deleted MFA enrollments with management API and expect the multifactor attribute has no enrollment details left. However, there is no change to this attribute under the user profile.
Solution:
In the rule to enable MFA, the provider options “guardian” and “google-authenticator” are legacy settings that are kept for backward compatibility reasons, and should not be used moving forward. We recommend using “any” instead.
It is possible to remove “google-authenticator” from “multifactor” via the below API:
Our engineering team confirmed this is a bug. When using Guardian Delete Enrollments By ID, deleting the last enrollment for a provider should clean up the provider on the user. We will update this FAQ after solving this issue.