`getAuthenticatorAssuranceLevel` returns AAL2, but `/factors` returns AAL1

Aim:
A user with 2 MFAs wants to unenroll/delete 1 MFA, then enroll a new MFA.

Issue:
Given user has 2 MFAs, when user unenrolls 1 MFA, and tries enrolling a new MFA,

/factors

/factors

endpoint return an error.

{"code":"insufficient_aal","message":"AAL2 required to enroll a new factor"}

{"code":"insufficient_aal","message":"AAL2 required to enroll a new factor"}

I expected the error not to be returned, because according to

getAuthenticatorAssuranceLevel

getAuthenticatorAssuranceLevel

, the user is already at aal2.

> const { data, error } = await supabase.auth.mfa.getAuthenticatorAssuranceLevel();
> console.log(data);
< {
    "currentLevel": "aal2",
    "nextLevel": "aal2",
    "currentAuthenticationMethods": [
        {
            "method": "mfa/phone",
            "timestamp": 1762856780
        },
        {
            "method": "totp",
            "timestamp": 1762856749
        },
        {
            "method": "password",
            "timestamp": 1762856735
        }
    ]
}
> console.log(error);
< null

> const { data, error } = await supabase.auth.mfa.getAuthenticatorAssuranceLevel();
> console.log(data);
< {
    "currentLevel": "aal2",
    "nextLevel": "aal2",
    "currentAuthenticationMethods": [
        {
            "method": "mfa/phone",
            "timestamp": 1762856780
        },
        {
            "method": "totp",
            "timestamp": 1762856749
        },
        {
            "method": "password",
            "timestamp": 1762856735
        }
    ]
}
> console.log(error);
< null

So, which one is it? Is

getAuthenticatorAssuranceLevel

getAuthenticatorAssuranceLevel

returning an incorrect response, or

/factors

/factors

`getAuthenticatorAssuranceLevel` returns AAL2, but `/factors` returns AAL1

Aim:
A user with 2 MFAs wants to unenroll/delete 1 MFA, then enroll a new MFA.

Issue:
Given user has 2 MFAs, when user unenrolls 1 MFA, and tries enrolling a new MFA,

/factors

/factors

endpoint return an error.

{"code":"insufficient_aal","message":"AAL2 required to enroll a new factor"}

{"code":"insufficient_aal","message":"AAL2 required to enroll a new factor"}

I expected the error not to be returned, because according to

getAuthenticatorAssuranceLevel

getAuthenticatorAssuranceLevel

, the user is already at aal2.

> const { data, error } = await supabase.auth.mfa.getAuthenticatorAssuranceLevel();
> console.log(data);
< {
    "currentLevel": "aal2",
    "nextLevel": "aal2",
    "currentAuthenticationMethods": [
        {
            "method": "mfa/phone",
            "timestamp": 1762856780
        },
        {
            "method": "totp",
            "timestamp": 1762856749
        },
        {
            "method": "password",
            "timestamp": 1762856735
        }
    ]
}
> console.log(error);
< null

> const { data, error } = await supabase.auth.mfa.getAuthenticatorAssuranceLevel();
> console.log(data);
< {
    "currentLevel": "aal2",
    "nextLevel": "aal2",
    "currentAuthenticationMethods": [
        {
            "method": "mfa/phone",
            "timestamp": 1762856780
        },
        {
            "method": "totp",
            "timestamp": 1762856749
        },
        {
            "method": "password",
            "timestamp": 1762856735
        }
    ]
}
> console.log(error);
< null

So, which one is it? Is

getAuthenticatorAssuranceLevel

getAuthenticatorAssuranceLevel

returning an incorrect response, or

/factors

/factors

`getAuthenticatorAssuranceLevel` returns AAL2, but `/factors` returns AAL1

Similar Threads

`getAuthenticatorAssuranceLevel` returns AAL2, but `/factors` returns AAL1

Similar Threads

Similar Threads

Similar Threads