I am encoutering the more factors error even though I am providing proper mfa code in the workflow.

The following happens:

1. User provides email adress
2. User receives the email with the proper callback link and secret
3. User gets authenticated and is prompted to provide mfa code (also via email)
4. User provides the mfa code and instead of being logged in the mfa component errors requesting more factors

What works: a) Magic URL with disabled mfa b) Email/Password with or without mfa (same mfa component/code as for the magic url). Here the code is send in the same way and upon providing it the user is properly logged in.

Since all parts are working individually or in a different context/combination I am at a loss at what more to try. Help is greatly appreciated.

As this is proprietary code I have no reproduction at hand, but can make one if that makes a different

password is using: account.createEmailPasswordSession

magic is using: account.updateMagicURLSession

mfa is using: account.updateMfaChallenge

@blackfan23 you're clearly following the correct flow, and it's helpful that MFA works with password sessions but fails specifically when used with Magic URL + MFA. Let's walk through what’s likely happening and what to check.

From your steps:

1. ✅ account.createMagicURLSession() (user gets link)
2. ✅ User clicks link → account.updateMagicURLSession() — success
3. ✅ Appwrite triggers MFA → sends 6-digit email code
4. ❌ account.updateMfaChallenge() is called with the code
5. 🔴 Error: "More factors required" (even though you just provided the only expected factor)

What Might Be Going Wrong

✅ You're probably authenticating the Magic URL session but not fully attaching the session token or not updating the session context before calling updateMfaChallenge.

Appwrite uses cookies/tokens to associate the current session context with the MFA challenge. When using magic links, the updateMagicURLSession returns a session object that includes a userId and likely a cookie-based session (if running in browser), or token if using custom headers.

If updateMfaChallenge() is being called:

• Outside of the same session context (e.g. missing token or cookie)
• Or before Appwrite associates the magic link with the MFA challenge properly

…it may treat it as an incomplete session and return the "more factors required" error.

Fix Checklist

1. Ensure token/session from updateMagicURLSession() is set
   • If using Web SDK: make sure cookies are preserved (i.e., not calling via API manually)
   • If using SSR/Node or custom flow: store the session token and reattach it to the client using: account.updateSession('SESSION_ID');

2. Verify that MFA challenge is being attached to that session
   • The challenge from account.createMfaChallenge() needs to be consumed in the same session that was just authenticated from the magic link.
   • You may need to store and reuse the returned challengeId if applicable (depending on your version of Appwrite SDK).

3. Confirm that only 1 MFA factor is required
   • Sometimes the error "More factors required" actually means "this factor wasn't enough" — double-check in the Appwrite console that your project has only 1 MFA factor required (e.g., just email, not email + TOTP).

Suggested Debugging Strategy

To isolate the issue:

• Log the session after updateMagicURLSession()
• Log the response of createMfaChallenge()

Try manually calling get() right before updateMfaChallenge() to confirm you're authenticated: const session = await account.get();

Appreciate the answers. I have gone through the steps now and implemented both the session checks and restore as well as to call account before the challenge. It does not work. I will try to produce a simple example app that I can share for reproduction.

That would really help @blackfan23 Thanks :appwritepeepo:

I have now put together a flow that combines MFA and Magic URL. Same error. It's a basic Angular app with no fancy business logic. Vibe coded the basics, so don't be distracted by some of the code. However, the authorisation flow is handcrafted and is the same one that I use in production. Repo here

env variables go under /src/environments. The example file is included.

Hi, Just reviwed. Looks fine to me. You did everything on point. I attached a pdf with the updated solutions mainly dealing with time delays to session update and url creation. since there is microseconds delay with appwrite communication and session updated. Have a look please.

You do not need manual collections for: users sessions mfa_verifications These are managed internally by Appwrite via the account and users APIs. Until you need them for analytics or preferences.