Verified MFA doesn't set AAL to aal2

[hkamran80]

In my Next.js app, I have a user flow that enrolls and verifies a user's MFA. When I sign in, the AAL is set to aal1 for both current and next, which prevents requesting a 2FA token. It also prevents the user from unenrolling their verified MFA methods because of the required aal2 level.

This is the JSON object I get when I call supabase.auth.mfa.getAuthenticatorAssuranceLevel:

{
    "currentLevel": "aal1",
    "nextLevel": "aal1",
    "currentAuthenticationMethods": [
        {
            "method": "password",
            "timestamp": 1672514024
        }
    ]
}

And this is the output of supabase.auth.mfa.listFactors:

{
    "all": [
        {
            "id": "460ee0bc-1f3e-xxxx-a128-01d6a07e140b",
            "created_at": "2022-12-31T15:12:56.170472Z",
            "updated_at": "2022-12-31T15:13:26.311767Z",
            "status": "verified",
            "factor_type": "totp"
        }
    ],
    "totp": [
        {
            "id": "460ee0bc-1f3e-xxxx-a128-01d6a07e140b",
            "created_at": "2022-12-31T15:12:56.170472Z",
            "updated_at": "2022-12-31T15:13:26.311767Z",
            "status": "verified",
            "factor_type": "totp"
        }
    ]
}

Does anybody have any idea as to why the AAL isn't being changed?

[GeekPro101]

I've also experienced something similar - enrolling + validating while signed in results in aal2 being set correctly for both, but signing out then signing back in sets it to aal1 for both

[J0]

Thanks for the swift response! I’ll also download Firefox on my end and try

[GeekPro101]

@J0 Just tried it on Chrome with separating the two methods - no dice :(

[J0]

Ok! thanks for the update

[emileond]

@J0 Thanks for taking a look at this. I'm also using the default auth configuration on Nextjs 12.2.5 - One odd thing I've noticed on Supabase is that when I try to enable Point in time recovery (PITR), it shows a message that says my project is too old to be able to enable PITR. So I wonder if something related to the project might be affecting MFA too:

My code looks almost exactly the same as the one in this guide - I'm using challengeAndVerify when enrolling, but the problem seems to be with getAuthenticatorAssuranceLevel.

Hope this helps.

[J0]

Hey @emileond,

Thanks for the notification - generally failure to enable PITR suggests that the Postgres version is not matching. It shouldn't affect MFA.

I'll take a look at the getAuthenticatorAssuranceLevel call again on Firefox.

[fasamoah19]

I'm running into the same issue. Is there any update on this?

[GeekPro101]

I'm running into the same issue. Is there any update on this?

See https://github.com/supabase/auth-helpers/pull/455/files - it's patched and if you update to 0.3.0 of the auth helpers it fixes it

[e2corporation]

Has this been resolved? This issue is still present in @supabase/supabase-js@^2.47.10. I have a verified TOTP device from a custom setup flow, yet the current level is still aal1 with a method of password for currentAuthenticationMethods.

supabase.auth.onAuthStateChange(async (event, session) => {
....
....
if (event === 'SIGNED_IN') {

const { data, error }: AuthMFAGetAuthenticatorAssuranceLevelResponse =
          await supabase.auth.mfa.getAuthenticatorAssuranceLevel()
        const { currentLevel, nextLevel, currentAuthenticationMethods } = data
        
// console.log(currentLevel, currentAuthenticationMethods)
aal1
{
  "method": "password",
  "timestamp": 1735318275
}

[e2corporation]

Additionally trying to DELETE a previously verified TOTP Factor returns this response

{
"code":"insufficient_aal",
"message":"AAL2 required to unenroll verified factor"
}