SupabaseS
Supabase2mo ago
Baran

`getAuthenticatorAssuranceLevel` returns AAL2, but `/factors` returns AAL1

Aim:
A user with 2 MFAs wants to unenroll/delete 1 MFA, then enroll a new MFA.

Issue:
Given user has 2 MFAs, when user unenrolls 1 MFA, and tries enrolling a new MFA, /factors endpoint return an error. 
{"code":"insufficient_aal","message":"AAL2 required to enroll a new factor"}


I expected the error not to be returned, because according to getAuthenticatorAssuranceLevel, the user is already at aal2.
> const { data, error } = await supabase.auth.mfa.getAuthenticatorAssuranceLevel();
> console.log(data);
< {
    "currentLevel": "aal2",
    "nextLevel": "aal2",
    "currentAuthenticationMethods": [
        {
            "method": "mfa/phone",
            "timestamp": 1762856780
        },
        {
            "method": "totp",
            "timestamp": 1762856749
        },
        {
            "method": "password",
            "timestamp": 1762856735
        }
    ]
}
> console.log(error);
< null


So, which one is it? Is getAuthenticatorAssuranceLevel returning an incorrect response, or /factors?
image.png
Was this page helpful?