Problem statement
We currently have a large user base authenticating through an LDAP connector. We are in the midst of migrating those accounts into an Auth0 database user store. Within our source data, we have emails for most users and phone numbers for some users. None of these values have been previously verified. Our plan was to import this data with the values as unverified.
Further, for email addresses, we have a population of email addresses that exist on multiple accounts - this is valid and we cannot avoid this. Since Auth0 user stores require email addresses to be unique, we were planning to populate the email address value we have within app_metadata and populate the email address field with a generated, unique value.
After this migration we’d like to be able to begin enabling MFA functionality, with an initial focus on SMS and/or email-based 2FA. A few questions related to this:
-
Can MFA functionality be overridden via rules or actions to use our value from app_metadata rather than the value at the top-level of the profile?
-
Can the Auth0 email verification endpoint be (Auth0 Management API v2) functionality be overridden via rules or actions to use our email value from app_metadata rather than the value at the top-level of the profile?
-
Is there a similar endpoint to verify phone numbers through SMS? If not, what is the recommended approach for verifying email addresses?
Solution
1. Can MFA functionality be overridden via Rules or Actions to use our value from app_metadata rather than the value at the top-level of the profile?
MFA cannot be overridden by providing a different value at the time of rule/action initiation.
2. Can the Auth0 email verification endpoint be (Auth0 Management API v2) functionality be overridden via rules or actions to use our email value from app_metadata rather than the value at the top-level of the profile?
Unfortunately, there isn’t a way currently to override this functionality to support actions.
3. Is there a similar endpoint to verify phone numbers through SMS? If not, what is the recommended approach for verifying email addresses?
Unfortunately, We do not have a verified endpoint for SMS, but do we allow the creation/import of the SMS factor through POST /authentication-methods. This can be used if the phone number was previously verified and needs to be created as a factor.