User profile multifactor attribute not changed after deleting MFA enrollments

Problem Statement

We set up a rule to enforce MFA.

context.multifactor = {
provider: 'google-authenticator'

And after the user logs in and enrolls with MFA TOPT, the user profile has the details:

"multifactor": [

We deleted MFA enrollments with management API and expect the multifactor attribute has no enrollment details left. However, there is no change to this attribute under the user profile.


In the rule to enable MFA, the provider options “guardian” and “google-authenticator” are legacy settings that are kept for backward compatibility reasons, and should not be used moving forward. We recommend using “any” instead.

It is possible to remove “google-authenticator” from “multifactor” via the below API:

Our engineering team confirmed this is a bug. When using Guardian Delete Enrollments By ID, deleting the last enrollment for a provider should clean up the provider on the user. We will update this FAQ after solving this issue.