firebase
Updating MFA methods for user with TOTP active results in error
[REQUIRED] Step 2: Describe your environment
- Operating System version: macOS 15.6.1
- Firebase SDK version: 13.5.0
- Firebase Product: auth
- Node.js version: 20.19.2
- NPM version: 11.6.2
[REQUIRED] Step 3: Describe the problem
When attempted to change anything in the MFA configuration of a user that has TOTP active, firebase throws.
Steps to reproduce:
See the following example, where I attempt to enroll user with phone factor.
let enrolledFactors = (user.multiFactor?.enrolledFactors || []) as unknown as firebase.auth.UpdateMultiFactorInfoRequest[];
if (enrolledFactors.find((f) => f.factorId === method)) {
console.log(`User ${email} is already enrolled in MFA method: ${method}`);
return;
}
await firebase.auth().updateUser(user.uid, {
multiFactor: {
enrolledFactors: [
...enrolledFactors,
{
uid: `phone:${sanitizePhoneNumber(phoneNumber)}`,
factorId: FactorId.PHONE,
phoneNumber,
},
],
},
});
If the enrolledFactors include an entry with factorId totp, it throws:
FirebaseAuthError: Unsupported second factor "{"uid":"58637419-3818-4e95-b26c-7254aa11a85b","displayName":"TOTP","factorId":"totp","enrollmentTime":"Fri, 24 Oct 2025 09:34:05 GMT","totpInfo":{}}" provided.
It does look like the firebase-admin does not support TOTP fully, even though user was able to enroll and use the TOTP method on the client just fine - and the user.multiFactor?.enrolledFactors do return it (but you can't save it back to the firebase).
Also one note regarding TypeScript definitions. The enrolledFactors array (2nd argument of the updateUser call) is of type MultiFactorUpdateSettings.enrolledFactors: UpdatePhoneMultiFactorInfoRequest[] | null which definitely suggests it wasn't updated to a more generic type that also supports TOTP (the type returned from user.multiFactor?.enrolledFactors is MultiFactorInfo[] | undefined.