> ## Documentation Index
> Fetch the complete documentation index at: https://docs-staging-quickstart-revamp.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> Describes how to manage MFA authenticator factor enrollments for applications using the Auth0 MFA API.

# Manage Authentication Factors with Authentication API

<Card title="Before you start">
  * Enable the **MFA** grant type for your application. To learn more, read [Update Grant Types](/docs/get-started/applications/update-grant-types).
</Card>

Auth0 provides several [API endpoints](https://auth0.com/docs/api/authentication#multi-factor-authentication) to help you manage the authenticators you're using with an application for <Tooltip tip="Multi-factor authentication (MFA): User authentication process that uses a factor in addition to username and password such as a code via SMS." cta="View Glossary" href="/docs/glossary?term=multi-factor+authentication">multi-factor authentication</Tooltip> (MFA). You can use these endpoints to build a complete user interface that lets users manage their authenticator factors.

## Get MFA API access tokens

To call the MFA API to manage enrollments, you first need to obtain an <Tooltip tip="Access Token: Authorization credential, in the form of an opaque string or JWT, used to access an API." cta="View Glossary" href="/docs/glossary?term=access+token">access token</Tooltip> for the MFA API.

To use the MFA API as part of an authentication flow, you can follow the steps detailed in [Authenticate With Resource Owner Password Grant and MFA](/docs/secure/multi-factor-authentication/authenticate-using-ropg-flow-with-mfa). If you are building a user interface to manage authentication factors, you'll need to obtain a token you can use for the MFA API at any moment, not only during authentication.

An MFA access token, or an access token with an `https://{yourDomain}/mfa/` <Tooltip tip="Audience: Unique identifier of the audience for an issued token. Named aud in a token, its value contains the ID of either an application (Client ID) for an ID Token or an API (API Identifier) for an Access Token." cta="View Glossary" href="/docs/glossary?term=audience">audience</Tooltip>, simultaneously authenticates and instigates an MFA [challenge request](https://auth0.com/docs/api/authentication/muti-factor-authentication/request-mfa-challenge). Factor enablement in your tenant and enrollment by your users determine whether the MFA challenge initiates:

* If your tenant allows for multiple factor enrollment and your users enroll in a valid factor (excluding email), such as a one-time password (OTP), the user is issued the MFA challenge upon login.
* If your users are not enrolled with any authentication factors, or are only enrolled with the `email` factor, the MFA token is minted and the user not issued a challenge.

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  The default expiry time of access tokens with the `https://{yourDomain}/mfa/*` audience is 10 minutes. This value cannot be configured.
</Callout>

### Universal Login

If you are using [Universal Login](/docs/authenticate/login/auth0-universal-login), redirect to the Authorize endpoint, specifying the `https://{yourDomain}/mfa/` audience.

<Warning>
  When `https://{yourDomain}/mfa/` is specified as the audience, MFA is enforced. When end users enable **Remember this browser** while `.../mfa` is specified as audience, the setting will have no effect.

  Auth0 recommends that tenant administrators [create an action](/docs/customize/actions/write-your-first-action) that sets `allowRememberBrowser` to false. This will hide **Remember this browser** from view in the end user's experience.
</Warning>

### Resource owner password grant

If you are using the <Tooltip tip="Resource Owner: Entity (such as a user or application) capable of granting access to a protected resource." cta="View Glossary" href="/docs/glossary?term=Resource+Owner">Resource Owner</Tooltip> Password Grant (ROPG), you have 3 options:

* Ask for the `https://{yourDomain}/mfa/` audience when logging-in, and use a [refresh token](/docs/secure/tokens/refresh-tokens) to refresh it later.
* If you need to list and delete authenticators, ask the user to [authenticate again](/docs/secure/multi-factor-authentication/authenticate-using-ropg-flow-with-mfa) with `/oauth/token`, specifying the `https://{yourDomain}/mfa/` audience. Users will need to complete MFA before being able to list and/or delete authentication factors.
* If you only need to list authenticators, ask the user to [authenticate again](/docs/secure/multi-factor-authentication/authenticate-using-ropg-flow-with-mfa) using `/oauth/token` with username/password. The endpoint will return an `mfa_required` error, and an `mfa_token` you can use to list authenticators. Users will need to provide their password to see their authenticators.

### Scopes

When you request a token for the MFA audience, you can request the following scopes:

<table class="table">
  <thead>
    <tr>
      <th>Scope</th>
      <th>Description</th>
    </tr>
  </thead>

  <tbody>
    <tr>
      <td><code>enroll</code></td>
      <td>To enroll a new authenticator.</td>
    </tr>

    <tr>
      <td><code>read:authenticators</code></td>
      <td>To list existing authenticators.</td>
    </tr>

    <tr>
      <td><code>remove:authenticators</code></td>
      <td>To delete an authenticator.</td>
    </tr>
  </tbody>
</table>

## List authenticators

To get a list of the authenticators for a user, you can call the MFA Authenticators endpoint:

<CodeGroup>
  ```bash cURL lines
  curl --request GET \
    --url 'https://{yourDomain}/mfa/authenticators' \
    --header 'authorization: Bearer MFA_TOKEN'
  ```

  ```csharp C# lines
  var client = new RestClient("https://{yourDomain}/mfa/authenticators");
  var request = new RestRequest(Method.GET);
  request.AddHeader("authorization", "Bearer MFA_TOKEN");
  IRestResponse response = client.Execute(request);
  ```

  ```go Go lines
  package main

  import (
  	"fmt"
  	"net/http"
  	"io/ioutil"
  )

  func main() {

  	url := "https://{yourDomain}/mfa/authenticators"

  	req, _ := http.NewRequest("GET", url, nil)

  	req.Header.Add("authorization", "Bearer MFA_TOKEN")

  	res, _ := http.DefaultClient.Do(req)

  	defer res.Body.Close()
  	body, _ := ioutil.ReadAll(res.Body)

  	fmt.Println(res)
  	fmt.Println(string(body))

  }
  ```

  ```java Java lines
  HttpResponse<String> response = Unirest.get("https://{yourDomain}/mfa/authenticators")
    .header("authorization", "Bearer MFA_TOKEN")
    .asString();
  ```

  ```javascript Node.JS lines
  var axios = require("axios").default;

  var options = {
    method: 'GET',
    url: 'https://{yourDomain}/mfa/authenticators',
    headers: {authorization: 'Bearer MFA_TOKEN'}
  };

  axios.request(options).then(function (response) {
    console.log(response.data);
  }).catch(function (error) {
    console.error(error);
  });
  ```

  ```obj-c Obj-C lines
  #import <Foundation/Foundation.h>

  NSDictionary *headers = @{ @"authorization": @"Bearer MFA_TOKEN" };

  NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"https://{yourDomain}/mfa/authenticators"]
                                                         cachePolicy:NSURLRequestUseProtocolCachePolicy
                                                     timeoutInterval:10.0];
  [request setHTTPMethod:@"GET"];
  [request setAllHTTPHeaderFields:headers];

  NSURLSession *session = [NSURLSession sharedSession];
  NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:request
                                              completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
                                                  if (error) {
                                                      NSLog(@"%@", error);
                                                  } else {
                                                      NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response;
                                                      NSLog(@"%@", httpResponse);
                                                  }
                                              }];
  [dataTask resume];
  ```

  ```php PHP lines
  $curl = curl_init();

  curl_setopt_array($curl, [
    CURLOPT_URL => "https://{yourDomain}/mfa/authenticators",
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_ENCODING => "",
    CURLOPT_MAXREDIRS => 10,
    CURLOPT_TIMEOUT => 30,
    CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
    CURLOPT_CUSTOMREQUEST => "GET",
    CURLOPT_HTTPHEADER => [
      "authorization: Bearer MFA_TOKEN"
    ],
  ]);

  $response = curl_exec($curl);
  $err = curl_error($curl);

  curl_close($curl);

  if ($err) {
    echo "cURL Error #:" . $err;
  } else {
    echo $response;
  }
  ```

  ```python Python lines
  import http.client

  conn = http.client.HTTPSConnection("")

  headers = { 'authorization': "Bearer MFA_TOKEN" }

  conn.request("GET", "/{yourDomain}/mfa/authenticators", headers=headers)

  res = conn.getresponse()
  data = res.read()

  print(data.decode("utf-8"))
  ```

  ```ruby Ruby lines
  require 'uri'
  require 'net/http'
  require 'openssl'

  url = URI("https://{yourDomain}/mfa/authenticators")

  http = Net::HTTP.new(url.host, url.port)
  http.use_ssl = true
  http.verify_mode = OpenSSL::SSL::VERIFY_NONE

  request = Net::HTTP::Get.new(url)
  request["authorization"] = 'Bearer MFA_TOKEN'

  response = http.request(request)
  puts response.read_body
  ```

  ```swift Swift lines
  import Foundation

  let headers = ["authorization": "Bearer MFA_TOKEN"]

  let request = NSMutableURLRequest(url: NSURL(string: "https://{yourDomain}/mfa/authenticators")! as URL,
                                          cachePolicy: .useProtocolCachePolicy,
                                      timeoutInterval: 10.0)
  request.httpMethod = "GET"
  request.allHTTPHeaderFields = headers

  let session = URLSession.shared
  let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
    if (error != nil) {
      print(error)
    } else {
      let httpResponse = response as? HTTPURLResponse
      print(httpResponse)
    }
  })

  dataTask.resume()
  ```
</CodeGroup>

You should receive information about the authenticator type(s) in the response:

```json lines
[
  {
    "authenticator_type": "recovery-code",
    "id": "recovery-code|dev_IsBj5j3H12VAdOIj",
    "active": true
  },
  {
    "authenticator_type": "otp",
    "id": "totp|dev_nELLU4PFUiTW6iWs",
    "active": true,
  },
  {
    "authenticator_type": "oob",
    "oob_channel": "sms",
    "id": "sms|dev_sEe99pcpN0xp0yOO",
    "name": "+1123XXXXX",
    "active": true
  }
]
```

For the purposes of building a user interface for end users to manage their factors, you should ignore authenticators that have `active` as `false`. Those authenticators are not confirmed by users, so they can't be used to challenge for MFA.

The MFA API will list the following enrollments depending on the authenticator type:

<table class="table">
  <thead>
    <tr>
      <th>Authenticator</th>
      <th>Actions</th>
    </tr>
  </thead>

  <tbody>
    <tr>
      <td><strong>Push and OTP</strong></td>
      <td>If push is enabled, Auth0 also creates an OTP enrollment. You will see both when listing enrollments.</td>
    </tr>

    <tr>
      <td><strong>SMS and Voice</strong></td>
      <td>If both SMS and voice are enabled, when a user enrolls with either SMS or voice, Auth0  automatically creates two authenticators for the phone number, one for SMS and another for voice.</td>
    </tr>

    <tr>
      <td><strong>Email</strong></td>
      <td>All verified emails will be listed as authenticators.</td>
    </tr>
  </tbody>
</table>

## Enroll authenticators

See the following links for details on how to enroll authenticators for different factors:

* [SMS or voice](/docs/secure/multi-factor-authentication/authenticate-using-ropg-flow-with-mfa/enroll-challenge-sms-voice-authenticators)
* [One-time password (OTP)](/docs/secure/multi-factor-authentication/authenticate-using-ropg-flow-with-mfa/enroll-and-challenge-otp-authenticators)
* [Push](/docs/secure/multi-factor-authentication/authenticate-using-ropg-flow-with-mfa/enroll-and-challenge-push-authenticators)
* [Email](/docs/secure/multi-factor-authentication/authenticate-using-ropg-flow-with-mfa/enroll-and-challenge-email-authenticators)

You can also use the [Universal Login flow](/docs/secure/multi-factor-authentication/multi-factor-authentication-developer-resources/create-custom-enrollment-tickets) for enrolling users at any time.

## Delete authenticators

To delete an associated authenticator, send a `DELETE` request to the MFA Authenticators endpoint replacing the `AUTHENTICATOR_ID` with the relevant authenticator ID. You can get the ID when you list authenticators.

If an `mfa_token` was used to list authenticators, users will need to [complete MFA to obtain an access token](https://auth0.com/docs/api/authentication/muti-factor-authentication/verify-mfa-with-otp) with an audience of `https://{yourDomain}/mfa/` in order to delete an authenticator.

<CodeGroup>
  ```bash cURL lines
  curl --request DELETE \
    --url 'https://{yourDomain}/mfa/authenticators/AUTHENTICATOR_ID' \
    --header 'authorization: Bearer ACCESS_TOKEN'
  ```

  ```csharp C# lines
  var client = new RestClient("https://{yourDomain}/mfa/authenticators/AUTHENTICATOR_ID");
  var request = new RestRequest(Method.DELETE);
  request.AddHeader("authorization", "Bearer ACCESS_TOKEN");
  IRestResponse response = client.Execute(request);
  ```

  ```go Go lines
  package main

  import (
  	"fmt"
  	"net/http"
  	"io/ioutil"
  )

  func main() {

  	url := "https://{yourDomain}/mfa/authenticators/AUTHENTICATOR_ID"

  	req, _ := http.NewRequest("DELETE", url, nil)

  	req.Header.Add("authorization", "Bearer ACCESS_TOKEN")

  	res, _ := http.DefaultClient.Do(req)

  	defer res.Body.Close()
  	body, _ := ioutil.ReadAll(res.Body)

  	fmt.Println(res)
  	fmt.Println(string(body))

  }
  ```

  ```java Java lines
  HttpResponse<String> response = Unirest.delete("https://{yourDomain}/mfa/authenticators/AUTHENTICATOR_ID")
    .header("authorization", "Bearer ACCESS_TOKEN")
    .asString();
  ```

  ```javascript Node.JS lines
  var axios = require("axios").default;

  var options = {
    method: 'DELETE',
    url: 'https://{yourDomain}/mfa/authenticators/AUTHENTICATOR_ID',
    headers: {authorization: 'Bearer ACCESS_TOKEN'}
  };

  axios.request(options).then(function (response) {
    console.log(response.data);
  }).catch(function (error) {
    console.error(error);
  });
  ```

  ```obj-c Obj-C lines
  #import <Foundation/Foundation.h>

  NSDictionary *headers = @{ @"authorization": @"Bearer ACCESS_TOKEN" };

  NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"https://{yourDomain}/mfa/authenticators/AUTHENTICATOR_ID"]
                                                         cachePolicy:NSURLRequestUseProtocolCachePolicy
                                                     timeoutInterval:10.0];
  [request setHTTPMethod:@"DELETE"];
  [request setAllHTTPHeaderFields:headers];

  NSURLSession *session = [NSURLSession sharedSession];
  NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:request
                                              completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
                                                  if (error) {
                                                      NSLog(@"%@", error);
                                                  } else {
                                                      NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response;
                                                      NSLog(@"%@", httpResponse);
                                                  }
                                              }];
  [dataTask resume];
  ```

  ```php PHP lines
  $curl = curl_init();

  curl_setopt_array($curl, [
    CURLOPT_URL => "https://{yourDomain}/mfa/authenticators/AUTHENTICATOR_ID",
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_ENCODING => "",
    CURLOPT_MAXREDIRS => 10,
    CURLOPT_TIMEOUT => 30,
    CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
    CURLOPT_CUSTOMREQUEST => "DELETE",
    CURLOPT_HTTPHEADER => [
      "authorization: Bearer ACCESS_TOKEN"
    ],
  ]);

  $response = curl_exec($curl);
  $err = curl_error($curl);

  curl_close($curl);

  if ($err) {
    echo "cURL Error #:" . $err;
  } else {
    echo $response;
  }
  ```

  ```python Python lines
  import http.client

  conn = http.client.HTTPSConnection("")

  headers = { 'authorization': "Bearer ACCESS_TOKEN" }

  conn.request("DELETE", "/{yourDomain}/mfa/authenticators/AUTHENTICATOR_ID", headers=headers)

  res = conn.getresponse()
  data = res.read()

  print(data.decode("utf-8"))
  ```

  ```ruby Ruby lines
  require 'uri'
  require 'net/http'
  require 'openssl'

  url = URI("https://{yourDomain}/mfa/authenticators/AUTHENTICATOR_ID")

  http = Net::HTTP.new(url.host, url.port)
  http.use_ssl = true
  http.verify_mode = OpenSSL::SSL::VERIFY_NONE

  request = Net::HTTP::Delete.new(url)
  request["authorization"] = 'Bearer ACCESS_TOKEN'

  response = http.request(request)
  puts response.read_body
  ```

  ```swift Swift lines
  import Foundation

  let headers = ["authorization": "Bearer ACCESS_TOKEN"]

  let request = NSMutableURLRequest(url: NSURL(string: "https://{yourDomain}/mfa/authenticators/AUTHENTICATOR_ID")! as URL,
                                          cachePolicy: .useProtocolCachePolicy,
                                      timeoutInterval: 10.0)
  request.httpMethod = "DELETE"
  request.allHTTPHeaderFields = headers

  let session = URLSession.shared
  let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
    if (error != nil) {
      print(error)
    } else {
      let httpResponse = response as? HTTPURLResponse
      print(httpResponse)
    }
  })

  dataTask.resume()
  ```
</CodeGroup>

If the authenticator was deleted, a 204 response is returned.

When you delete an authenticator, the following actions take place depending on the authenticator type:

<table class="table">
  <thead>
    <tr>
      <th>Authenticator</th>
      <th>Action</th>
    </tr>
  </thead>

  <tbody>
    <tr>
      <td><strong>Push and OTP</strong></td>
      <td>When a user enrolls a push authenticator, Auth0 also enrolls OTP. If you delete either of them, the other one will also be deleted.</td>
    </tr>

    <tr>
      <td><strong>SMS and Voice</strong></td>
      <td>When a user enrolls in either SMS or Voice,. Auth0 creates two authenticators, SMS and voice. If you delete either of them, the other will will also be deleted.</td>
    </tr>

    <tr>
      <td><strong>Email</strong></td>
      <td>All verified emails listed as authenticators, but you can't delete them. You can only delete email authenticators that are enrolled explicitly.</td>
    </tr>
  </tbody>
</table>

## Regenerate recovery codes

To delete a recovery code and generate a new one, get an Auth0 [Management API access token](https://auth0.com/docs/api/management/v2/tokens) and use the <Tooltip tip="Management API: A product to allow customers to perform administrative tasks." cta="View Glossary" href="/docs/glossary?term=Management+API">Management API</Tooltip> [Recovery Code Regeneration endpoint](https://auth0.com/docs/api/management/v2/#!/Users/post_recovery_code_regeneration).

<CodeGroup>
  ```bash cURL lines
  curl --request POST \
    --url 'https://{yourDomain}/api/v2/users/USER_ID/recovery-code-regeneration' \
    --header 'authorization: Bearer MANAGEMENT_API_TOKEN'
  ```

  ```csharp C# lines
  var client = new RestClient("https://{yourDomain}/api/v2/users/USER_ID/recovery-code-regeneration");
  var request = new RestRequest(Method.POST);
  request.AddHeader("authorization", "Bearer MANAGEMENT_API_TOKEN");
  IRestResponse response = client.Execute(request);
  ```

  ```go Go lines
  package main

  import (
  	"fmt"
  	"net/http"
  	"io/ioutil"
  )

  func main() {

  	url := "https://{yourDomain}/api/v2/users/USER_ID/recovery-code-regeneration"

  	req, _ := http.NewRequest("POST", url, nil)

  	req.Header.Add("authorization", "Bearer MANAGEMENT_API_TOKEN")

  	res, _ := http.DefaultClient.Do(req)

  	defer res.Body.Close()
  	body, _ := ioutil.ReadAll(res.Body)

  	fmt.Println(res)
  	fmt.Println(string(body))

  }
  ```

  ```java Java lines
  HttpResponse<String> response = Unirest.post("https://{yourDomain}/api/v2/users/USER_ID/recovery-code-regeneration")
    .header("authorization", "Bearer MANAGEMENT_API_TOKEN")
    .asString();
  ```

  ```javascript Node.JS lines
  var axios = require("axios").default;

  var options = {
    method: 'POST',
    url: 'https://{yourDomain}/api/v2/users/USER_ID/recovery-code-regeneration',
    headers: {authorization: 'Bearer MANAGEMENT_API_TOKEN'}
  };

  axios.request(options).then(function (response) {
    console.log(response.data);
  }).catch(function (error) {
    console.error(error);
  });
  ```

  ```obj-c Obj-C lines
  #import <Foundation/Foundation.h>

  NSDictionary *headers = @{ @"authorization": @"Bearer MANAGEMENT_API_TOKEN" };

  NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"https://{yourDomain}/api/v2/users/USER_ID/recovery-code-regeneration"]
                                                         cachePolicy:NSURLRequestUseProtocolCachePolicy
                                                     timeoutInterval:10.0];
  [request setHTTPMethod:@"POST"];
  [request setAllHTTPHeaderFields:headers];

  NSURLSession *session = [NSURLSession sharedSession];
  NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:request
                                              completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
                                                  if (error) {
                                                      NSLog(@"%@", error);
                                                  } else {
                                                      NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response;
                                                      NSLog(@"%@", httpResponse);
                                                  }
                                              }];
  [dataTask resume];
  ```

  ```php PHP lines
  $curl = curl_init();

  curl_setopt_array($curl, [
    CURLOPT_URL => "https://{yourDomain}/api/v2/users/USER_ID/recovery-code-regeneration",
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_ENCODING => "",
    CURLOPT_MAXREDIRS => 10,
    CURLOPT_TIMEOUT => 30,
    CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
    CURLOPT_CUSTOMREQUEST => "POST",
    CURLOPT_HTTPHEADER => [
      "authorization: Bearer MANAGEMENT_API_TOKEN"
    ],
  ]);

  $response = curl_exec($curl);
  $err = curl_error($curl);

  curl_close($curl);

  if ($err) {
    echo "cURL Error #:" . $err;
  } else {
    echo $response;
  }
  ```

  ```python Python lines
  import http.client

  conn = http.client.HTTPSConnection("")

  headers = { 'authorization': "Bearer MANAGEMENT_API_TOKEN" }

  conn.request("POST", "/{yourDomain}/api/v2/users/USER_ID/recovery-code-regeneration", headers=headers)

  res = conn.getresponse()
  data = res.read()

  print(data.decode("utf-8"))
  ```

  ```ruby Ruby lines
  require 'uri'
  require 'net/http'
  require 'openssl'

  url = URI("https://{yourDomain}/api/v2/users/USER_ID/recovery-code-regeneration")

  http = Net::HTTP.new(url.host, url.port)
  http.use_ssl = true
  http.verify_mode = OpenSSL::SSL::VERIFY_NONE

  request = Net::HTTP::Post.new(url)
  request["authorization"] = 'Bearer MANAGEMENT_API_TOKEN'

  response = http.request(request)
  puts response.read_body
  ```

  ```swift Swift lines
  import Foundation

  let headers = ["authorization": "Bearer MANAGEMENT_API_TOKEN"]

  let request = NSMutableURLRequest(url: NSURL(string: "https://{yourDomain}/api/v2/users/USER_ID/recovery-code-regeneration")! as URL,
                                          cachePolicy: .useProtocolCachePolicy,
                                      timeoutInterval: 10.0)
  request.httpMethod = "POST"
  request.allHTTPHeaderFields = headers

  let session = URLSession.shared
  let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
    if (error != nil) {
      print(error)
    } else {
      let httpResponse = response as? HTTPURLResponse
      print(httpResponse)
    }
  })

  dataTask.resume()
  ```
</CodeGroup>

You will get a new recovery code that the end user will need to capture, for example:

```json lines
{  
   "recovery_code": "FA45S1Z87MYARX9RG6EVMAPE"
}
```

## Learn more

* [Enroll and Challenge SMS and Voice Authenticators](/docs/secure/multi-factor-authentication/authenticate-using-ropg-flow-with-mfa/enroll-challenge-sms-voice-authenticators)
* [Enroll and Challenge OTP Authenticators](/docs/secure/multi-factor-authentication/authenticate-using-ropg-flow-with-mfa/enroll-and-challenge-otp-authenticators)
* [Enroll and Challenge Push Authenticators](/docs/secure/multi-factor-authentication/authenticate-using-ropg-flow-with-mfa/enroll-and-challenge-push-authenticators)
* [Enroll and Challenge Email Authenticators](/docs/secure/multi-factor-authentication/authenticate-using-ropg-flow-with-mfa/enroll-and-challenge-email-authenticators)
* [Challenge with Recovery Codes](/docs/secure/multi-factor-authentication/authenticate-using-ropg-flow-with-mfa/challenge-with-recovery-codes)
