Hello Everyone,
I’ve encountered an issue with the password reset functionality in my project. It was working fine around 7–8 weeks ago, but now users are reporting the following error message:
“AAL2 session is required to update email or password when MFA is enabled.”
My application has always utilized MFA without an issue with password resets, and based on the error, it seems that the session now needs to be elevated to AAL2 to proceed.
Does anyone know if there have been any recent changes that could have introduced this requirement?
Thanks in advanced
Hi @Broberto - Yes, I’m familiar with the document, as this is how the implementation of 2FA was done in my project. However, it seems that something changed on Supabase’s end as in the past we could reset the password even when 2FA was enrolled. But now, if a user has MFA enrolled, the aal.currentLevel must be elevated to aal2 before allowing a password change.
After troubleshooting and updating the workflow logic to verify the 2FA, everything is working as expected again. Thanks for your response, and I hope this information helps others who might encounter the same issue.
1 Like