servicea.28287 (Customer) asked a question.
Hello, I've run into a circumstance where I'm enrolling two factors for our users. One is an OTP via SMS for authentication and an OTP via email for recovery (i.e, while resetting the password). This API, which is stated below, I believe should list all factors that are enrolled for a user.
curl -v -X GET \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "User-Agent: Mozilla/5.0 (${systemInformation}) ${platform} (${platformDetails}) ${extensions}" \
-H "Authorization: SSWS ${api_token}" \
"https://${yourOktaDomain}/api/v1/users/00u15s1KDETTQMQYABRL/factors"
Why does it show all factors except the "Email" factor? Or can someone suggest another way to validate all the factors that a user has enrolled in?
Hi! As I am sure you are aware, you can find the a link here to Factors API
I do believe your call will only list out those factors for which the user is enrolled.. Can you try running the following: List Factors to enroll? This should list out those factors that can be enrolled for the specified user.
You might also try Get Factor to specify just the email factor to see what is returned for the specified user.
Have you verified that they are in fact enrolled for the email factor? If the GUI is not preferred, then the combination of the above will help you verify that if it is not showing as enrolled, at least you can verify that they are able to be enrolled in the email factor (thus also implying that they are not currently).
I do hope that helps to address your question. If not, please do let me know and I would be happy to further assist! Thanks!!
Thanks Don, but I checked with factors to be enrolled API too, it's enlisting the sms factor only & that too shown with "ACTIVE" status, I guess this means it's already enrolled. We enrolled the email factor for a particular user but it's not showing in either of APIs response. I think maybe these don't display recovery factors, but still there should be a method to verify this.
[
{
"factorType": "sms",
"provider": "OKTA",
"vendorName": "OKTA",
"_links": {
"enroll": {
"href": "https://{{okta_domain}}/api/v1/users/{{user_id}}/factors",
"hints": {
"allow": [
"POST"
]
}
}
},
"status": "ACTIVE",
"enrollment": "REQUIRED",
"_embedded": {
"phones": [
{
"id": "mblxxxxxxxxxx",
"profile": {
"phoneNumber": "xxxxxxxx"
},
"status": "ACTIVE"
}
]
}
}
]
Hmm.. I just ran this in my own environment, and when the email factor is enabled, it at least shows "OPTIONAL" for enrollment for a particular user. Is this factor turned on in Security > Multifactor > Factor Types?
Or alternatively, are you referring to having the ability for users to leverage email for Self-service Password Reset (SSPR)?
Hi Don, It's SSPR. As you can see, we don't use email for authentication; rather, we solely use it for recovery. Phone(sms) is the MFA for clients. Could this be the cause of its exclusion from the APIs?