TOTP question - not enabled against Tenant but per individual user. User sets up TOTP Device and verifies. The following is added to metada:

"requiredSecondaryFactors": [
            "totp"
        ]

When user removed the device via device/remove and has no devices linked - should the metada automatically be updated to remove the required 2nd factor?

hey @Nik not really. Cause then the user will be asked to setup a new device on next sign in. If you want to entirely disable totp, you can call the function to disable the required secondary factor for the user and that should clear this metadata key

thank you. that works for me. I do have another issue at the moment. So i've initialised TOTP && MultiFactorAuth and device verification etc works as expected. The issue I have now though, is that when i try to call signinup/code I started getting

Please initialise the account linking recipe and define shouldDoAutomaticAccountLinking to enable MFA

I have initialised accountlinking as per https://supertokens.com/docs/thirdpartypasswordless/common-customizations/account-linking/automatic-account-linking I've set the automatic linking to be false in all scenarios currently. Next up I am calling SignIn, retrieving the st-access-token and using that to call signinup/code again and this time I get

"message": "First factor sign in/up called for a non-first factor with an active session."

and I am cannot get any info on that.

so what is the first factor, and what is the second factor here?

emailpassword first factor passing the access token to the signup/code call

The issue seems to be that you have disabled account linking

have done so and results are the same

can i see the request made for the second factor?

i've sent you the curl command. I am back to using postman to debug this

ok thanks

MultiFactorAuth.init(
        {
        firstFactors: ["emailpassword", "thirdparty"],
        override: {
            functions: (originalImplementation) => {
                return {
                    ...originalImplementation,
                    getMFARequirementsForAuth: async function (input) {
                       if ((await input.requiredSecondaryFactorsForUser).includes("totp")) {
                            // this means that the user has finished setting up a device from their settings page.
                              if (await shouldRequireTotpForTenant(input.tenantId)) {
                                  return ["totp"]
                            }
                        }
                        // no totp required for input.user, with the input.tenant.
                        return []
                    }
                }
            }
        }
    }),

Hmm as I paste this, I have a strong suspicion additional set up is required here

yea, so you also want to do passwordless as second factor right?

yeah correct

and what type of passwordless?

emal and text message

ok so from

getMFARequirementsForAuth

function, you need to return ["totp", "otp-email", "otp-phone"]

great, thank you! will give it a go

so the issue i think in the above logic is that you are only returning ["totp"], or [] from that function. Which means either the user has to do totp for 2fa or nothing for 2fa. Now you are askingt the user to do passwordless for 2fa, even though getMFARequirementsForAuth doesn't return that. So our sdk thinks, ok, this is a first factor login maybe. But then in the firstFactors array, you don't have

otp-email

or

otp-phone

configured. Hence this error

still struggling with this.. for testing purposes, getMFARequirementsForAuth does

return ["otp-email"]

in all cases however still getting the message of

"First factor sign in/up called for a non-first factor with an active session."

Can you enabled backend debug logs and show the output?

``` ```

Thanks. Let’s wait for @porcellus to help her

one odd think there though is this :

com.supertokens {t: "2024-04-09T10:34:12.752Z", message: "isValidFirstFactor tenantconfig enables: emailPassword,passwordless", file: "C:\_iqusdev\dev.supertokens.api\node_modules\supertokens-node\lib\build\recipe\multitenancy\utils.js:73:14" sdkVer: "17.0.0"} +0ms

which kinda explains the error, I suppose, however

MultiFactorAuth.init({
        firstFactors: ["emailpassword", "thirdparty"],

and there is nowhere in code that i set first factor as paswordless. Also if i remove the multifactorAuth.init alltogether, then the issue goes away

The tenant config has passwordless set as the first factor.

so as a test, i've removed the mutlifactorAuth.init and made the same call.

com.supertokens {t: "2024-04-09T10:43:55.260Z", message: "isValidFirstFactor tenantconfig enables: emailPassword,passwordless", file: "C:\_iqusdev\dev.supertokens.api\node_modules\supertokens-node\lib\build\recipe\multitenancy\utils.js:73:14" sdkVer: "17.0.0"} +0ms

You should add multi factor auth init back please

@porcellus ^^

Hi

So that makes the code send

Also, if you want to provide the user with multiple options, you need to return

[{ oneOf: ["totp", "otp-phone", "otp-email"]}]

for mfa requirements

@Nik , did the above issue get resolved based on the change that @porcellus suggested?

I think it did, at least the code is now sending but i am yet to test the full MFA - got cought up with calls

Sounds good.