S

Supabase•7mo ago

pierfreeman

resetPasswordForEmail + MFA: Cannot update password due to AAL2 requirement

Hi Supabase team

Before opening a new issue on github, I ask here.

I'm encountering a problem with the password reset flow when MFA is enabled for a user.

When I initiate a password reset using supabase.auth.resetPasswordForEmail(email)supabase.auth.resetPasswordForEmail(email), the user receives the reset link and is redirected correctly. However, when trying to update the password using supabase.auth.updateUser({ password })supabase.auth.updateUser({ password }), Supabase responds with a 401 Unauthorized error, stating that AAL2 is required.

Context

• The user has MFA enabled (TOTP or SMS).
• The session obtained from the recovery link works (getSession() returns a valid session).
• However, the session is AAL1, and Supabase rejects the password update due to AAL2 not being satisfied.
• Calling setSession() does not resolve the issue.
• Other: Angular Frontend App with a Node.js/Express/Loopback v3 backend

## Expected behavior

When using resetPasswordForEmail(), I would expect that the session obtained from the recovery link allows the user to reset their password — even if MFA is enabled — since the reset link was securely sent via email. From an UX point of view, asking for MFA during a reset password is quite a bad experience.

If this is not intended, it would be great to have:

• A workaround or documented flow to support password reset when MFA is enabled.
• Clarification in the docs that resetPasswordForEmail() cannot be used if MFA is active unless the user also completes MFA.

## Steps to Reproduce

• Enable MFA for a user.
• Trigger resetPasswordForEmail().
• Click on the recovery link and set the session.
• Try calling updateUser({ password }).
• Receive a 401 with AAL2 required.

Could you please clarify:

• Is this the expected behavior?
• If so, how should developers allow users to reset passwords when MFA is enabled?