Updating MFA methods for user with TOTP active results in error

[grzegorzjudas]

[REQUIRED] Step 2: Describe your environment

• Operating System version: macOS 15.6.1
• Firebase SDK version: 13.5.0
• Firebase Product: auth
• Node.js version: 20.19.2
• NPM version: 11.6.2

[REQUIRED] Step 3: Describe the problem

When attempted to change anything in the MFA configuration of a user that has TOTP active, firebase throws.

Steps to reproduce:

See the following example, where I attempt to enroll user with phone factor.

let enrolledFactors = (user.multiFactor?.enrolledFactors || []) as unknown as firebase.auth.UpdateMultiFactorInfoRequest[];

if (enrolledFactors.find((f) => f.factorId === method)) {
    console.log(`User ${email} is already enrolled in MFA method: ${method}`);
    return;
}

await firebase.auth().updateUser(user.uid, {
    multiFactor: {
        enrolledFactors: [
            ...enrolledFactors,
            {
                uid: `phone:${sanitizePhoneNumber(phoneNumber)}`,
                factorId: FactorId.PHONE,
                phoneNumber,
            },
        ],
    },
});

If the enrolledFactors include an entry with factorId totp, it throws:

FirebaseAuthError: Unsupported second factor "{"uid":"58637419-3818-4e95-b26c-7254aa11a85b","displayName":"TOTP","factorId":"totp","enrollmentTime":"Fri, 24 Oct 2025 09:34:05 GMT","totpInfo":{}}" provided.

It does look like the firebase-admin does not support TOTP fully, even though user was able to enroll and use the TOTP method on the client just fine - and the user.multiFactor?.enrolledFactors do return it (but you can't save it back to the firebase).

[grzegorzjudas]

Also one note regarding TypeScript definitions. The enrolledFactors array (2nd argument of the updateUser call) is of type MultiFactorUpdateSettings.enrolledFactors: UpdatePhoneMultiFactorInfoRequest[] | null which definitely suggests it wasn't updated to a more generic type that also supports TOTP (the type returned from user.multiFactor?.enrolledFactors is MultiFactorInfo[] | undefined.