Malformed mfa_token message when trying to challenge an user with MFA

Question

I am developing an iPhone application to demonstrate the MFA using sms factor with MFA APIs for POC. I am using the authorisation flow for getting my access token (where I get a authorisation code and redeem it for an access token)earlier to MFA implementation. From the documentation, I found out that I need an MFA_token to work with MFA APIs. I added few changes with my existing authorisation process.

I am getting an MFA Token by doing the following steps:

1. Added scope enroll read:authenticators to authorisation endpoint( i.e. “https://<my_domain>/authorize”)
2. Added an audience: https://<my_domain>/mfa to the authorisation endpoint
3. Then I make a post request to token endpoint with authorization code to get the mfa_token.
4. The only changes I can observe is now the access token(which I presume to be the mfa_token) is in jwt format with expire time 600 sec. By using this access token(=mfa_token)
5. I built a custom pages for my user for enrollment and challenging the user via sms.
6. I am able to enroll user, confirm enrollment using this access token.
7. But when I challenge an user using this access token I get the following error after https://YOUR_DOMAIN/mfa/challenge call.

{
“error”: “invalid_grant”,
“error_description”: “Malformed mfa_token”
}

Can anyone please say me where I am going wrong?

Is the access token same as the MFA_Token in my case?

Thanks in Advance!

Answer 1

I think the access_token only serves as mfa_token during OOB/device registration. Thenafter, the user will get an mfa_token during auth, which is passed for MFA/OTP challenges

• https://auth0.com/docs/login/mfa/ropg-mfa/manage-authenticator-factors-mfa-api#resource-owner-password-grant