resetPasswordForEmail + MFA: Cannot update password due to AAL2 requirement
Hi Supabase team 
Before opening a new issue on github, I ask here.
I'm encountering a problem with the password reset flow when MFA is enabled for a user.
When I initiate a password reset using
Context
- The user has MFA enabled (TOTP or SMS).
- The session obtained from the recovery link works (getSession() returns a valid session).
- However, the session is AAL1, and Supabase rejects the password update due to AAL2 not being satisfied.
- Calling setSession() does not resolve the issue.
- Other: Angular Frontend App with a Node.js/Express/Loopback v3 backend
When using resetPasswordForEmail(), I would expect that the session obtained from the recovery link allows the user to reset their password — even if MFA is enabled — since the reset link was securely sent via email. From an UX point of view, asking for MFA during a reset password is quite a bad experience.
If this is not intended, it would be great to have:
- A workaround or documented flow to support password reset when MFA is enabled.
- Clarification in the docs that resetPasswordForEmail() cannot be used if MFA is active unless the user also completes MFA.
- Trigger resetPasswordForEmail().
- Click on the recovery link and set the session.
- Try calling updateUser({ password }).
- Receive a 401 with AAL2 required.
Could you please clarify:
- Is this the expected behavior?
- If so, how should developers allow users to reset passwords when MFA is enabled?
Before opening a new issue on github, I ask here.
I'm encountering a problem with the password reset flow when MFA is enabled for a user.
When I initiate a password reset using
supabase.auth.resetPasswordForEmail(email)supabase.auth.updateUser({ password })Context
- The user has MFA enabled (TOTP or SMS).
- The session obtained from the recovery link works (getSession() returns a valid session).
- However, the session is AAL1, and Supabase rejects the password update due to AAL2 not being satisfied.
- Calling setSession() does not resolve the issue.
- Other: Angular Frontend App with a Node.js/Express/Loopback v3 backend
Expected behavior
When using resetPasswordForEmail(), I would expect that the session obtained from the recovery link allows the user to reset their password — even if MFA is enabled — since the reset link was securely sent via email. From an UX point of view, asking for MFA during a reset password is quite a bad experience.
If this is not intended, it would be great to have:
- A workaround or documented flow to support password reset when MFA is enabled.
- Clarification in the docs that resetPasswordForEmail() cannot be used if MFA is active unless the user also completes MFA.
Steps to Reproduce
- Enable MFA for a user.- Trigger resetPasswordForEmail().
- Click on the recovery link and set the session.
- Try calling updateUser({ password }).
- Receive a 401 with AAL2 required.
Could you please clarify:
- Is this the expected behavior?
- If so, how should developers allow users to reset passwords when MFA is enabled?
