What happens to existing users when I disable an MFA method?

Hello!

We need to disable SMS MFA, but we have a number of users who are currently using that as their MFA method.

I can’t find any documentation that explains what will happen to those users if I disable it:

  • Will their access be blocked?
  • Will they be asked to set up a new MFA method?
  • Will it continue to function for existing users but now allow new registrants to select it?

Does anyone know what the most sensible way of deprecating a MFA method is (ideally without needing to code the solution)?

Thanks

Welcome to the Auth0 Community, @mikej!

I’m assuming you have another MFA method enabled apart from SMS. Also, before proceeding and answering your questions, I must clarify that when a user signs up with the SMS factor, they get both the SMS factor enabled and also a Recovery Code which they are told to store securely.

SMS will be disabled, but users that registered an SMS device will continue to have that registered device, so if you enable the SMS factor again in the future, they will be able to login via their old phone number. This means that their MFA settings are not reset.

No, they will not get blocked. MFA is still enabled though, so they will be required to enter their Recovery Code in order to access the application.

No. As mentioned in my previous response, they already have an alternative MFA method which is the Recovery Code, so they will not be asked for a new MFA method.

If you disable SMS MFA, nobody will be able to use it. Regarding the second part of your question, I am not sure I’ve understood correctly. No, new users would not be able to select SMS MFA if you disable it. They would need to select any of your other MFA methods.

You can just disable the method. However, you have to take into account and decide what will happen with the users that were using that method. If you take no action, those users will need to use a Recovery Code forever, which they might see as annoying. You have two alternatives here:

  1. No-code or almost no-code solution:
    Tell your affected customers that you will disable SMS MFA and reset their MFA settings afterwards. Then, they would need to register a new MFA method. This can be a security concern since those users will only be protected via their passwords until they register a new MFA method.

  2. Code solution:
    Thanks to our MFA API, you could develop a UI and let your users manage their MFA settings. This way there would be better approaches to the problem. For example, if you disable SMS MFA and they try to login, they will need to use their Recovery Code to login, but if they can manage their MFA settings they would be able to register a new factor themselves so the next time they login they wouldn’t need to use the Recovery Code.

I hope this helps. We don’t have an out of the box (no code) solution yet that would automatically allow users to register a new MFA method. Also, you might find interesting our Multi-Factor Authentication Developer Resources page.

1 Like