I am using Twilio's verify API for TOTP services (Authy, Google Authenticator, etc).
I am trying to figure out how to handle the case where a user has lost access to their phone and cannot get past the TOTP 2FA challenge. Can I create a new Factor for that user and somehow "invalidate" the previous one?
Anyone know how to do this?
You can delete a factor, which would remove it from the entity. You can then create a new factor.
How to handle how you re-enable access to the user's account in your system is up to you though. Presumably after the user has convinced your support team that they are the rightful owner of the account, you could turn off 2FA verification for their account, allowing them to log in, and then have them go through 2FA set up again themselves. You might also want to consider generating back up codes which they can use in the case that they lose their device again.