Clear List of Trusted Devices After Reset Password?

The gist is that I want to force MFA on ALL devices/browsers/contexts after successfully completing the Forgot Password (verify security question) API call.

I figure the quickest way to achieve this would be to delete all deviceTokens associated a given user. Is this possible?

I use my web app in Chrome and Edge. Both browsers have a UUID deviceToken cookie stored to bypass MFA on the trusted device.

I complete the Forgot Password (verify security question) process in Chrome. The app destroys the deviceToken cookie, triggering MFA on the next login using Chrome. So far so good.

The gap I am trying to bridge is how to require MFA during the next login using Edge (really, all other trusted devices).


As far as I know there is not a way. I don’t know of any management API that would do this.
I tested suspend/un-suspend a user but the associated tokens remained.

I am researching internally but if I (or someone else) does update this thread in a few days would suggest to open a support case.

Thank You,