Share via

Azure B2C MFA Query

Hayes, Paul (GWLE) 21 Reputation points
2022-12-12T16:54:16.567+00:00

Hi, would anyone know if there is a solution to the following issues:

I am reaching out due to an issue with Custom B2C Policy. The step we are having issues with is MFA step.

StarterPack used is the SocialAndLocalAccountsWithMfa https://github.com/Azure-Samples/active-directory-b2c-custom-policy-starterpack/tree/main/SocialAndLocalAccountsWithMfa
The issues that we are having is that after the user has registered and entered the number for the MFA the next step is to verify code.

In this step we have the following issue:
After 3 unsuccessful code verifications the flow of the policy is interrupted and an error with code is presented.

AADB2C90151: User has exceeded the maximum number for retries for multi-factor authentication.
Technical profile and protocol used in this step:
<TechnicalProfile Id="PhoneFactor-InputOrVerify">
<Protocol Name="Proprietary" Handler="Web.TPEngine.Providers.PhoneFactorProtocolProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />

Is this a known issues and is there a work around?

Could there be a way to handle this through policies, so that we do not get this error but simply extend the number of retries?
In case this is a known issue, are there any indications on when it could be resolved? Is there a newer version of PhoneFactorProtocolProvider that should be used?
Thanks,
Paul

Microsoft Security | Microsoft Entra | Microsoft Entra External ID
Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments
Accepted answer
  1. Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator
    2022-12-14T08:07:47.62+00:00

    @Hayes, Paul (GWLE)

    Thank you for reaching out to us, Researched on your ask, As you are using phone factor technical profile it doesnt have a option to increase the retry attempts, as we are depending on phone factor service to verify the code unlike OTP technical profile has NumRetryAttempts.

    if user exceeds number of retry attempts they can abort and start over. If they exceed this number, it means there is something wrong - either a malicious user, or an issue with their mobile carrier. In either case, increasing of retry attempts will not help. In terms of security, fraud protection, and "denial-of-money" protection (each try costs as per SMS/Call flat rate), and Microsoft's own protection, not a good approach to increase the limit here.

    Besides, OTP using authenticator app is more reliable and more secure then SMS or phone call. So, no, there are no plans to increase the retry limit for SMS/Call based MFA within Azure AD B2C.

    Reference:
    https://learn.microsoft.com/en-us/azure/active-directory-b2c/phone-factor-technical-profile#metadata - Phone factor technical profile
    https://learn.microsoft.com/en-us/azure/active-directory-b2c/one-time-password-technical-profile - one-time password technical profile

    Let me know if you have any further questions, feel free to post back.

    Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Hayes, Paul (GWLE) 21 Reputation points
    2022-12-15T17:30:40.3+00:00

    Thanks for all the info, much appreciated.
    Regards,
    Paul

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.