# Delete Authenticator

div
div
Client SDK
div
Backend API
div
Mobile approve
div
SSO
div
Sub-journey
> Deletes a registered authenticator for a user


## Description

This step removes a specific authenticator registration from the user's profile in Mosaic. It can be used to delete authenticators such as passwords, passkeys, TOTP, mobile biometrics, face authentication, and PIN codes (*This functionality is being gradually rolled out across regions and tenants*). OTP authenticators cannot be deleted using this step. This step only removes the authenticator record in Mosaic—for device-bound authenticators (such as passkeys, mobile biometrics, or PIN codes), the local key on the user's device is not affected.

The authenticator to delete is identified by its authenticator ID, which can be retrieved using the "User Authenticators: User authenticators API" step. If the step completes successfully, the authenticator is removed from the user's profile and the journey continues to the next step. If it fails, the journey proceeds to a failure branch (if one is specified); otherwise, the journey is aborted and an error is sent to the client.

Note
This step replaces the [Delete Mobile Biometrics](/guides/orchestration/journeys/delete_mobile_biometrics) and [Delete Mobile PIN](/guides/orchestration/journeys/delete_pin_code) steps, which are now deprecated.

## Configuration

div
| Field | Description |
|  --- | --- |
| **User auth state** | Indicates if the user has authenticated in this journey. If the user is authenticated (default), the user context is provided implicitly by the journey. If not, a user identifier must be configured. |
| **Identifiers** | Only configured if the journey doesn't authenticate the user before invoking this step. Can be an external user ID, email, phone number, username, or a [custom identifier](/guides/user/manage_user_schema), if configured for B2C users in your tenant. |
| **Authenticator ID** | ID of the authenticator to delete, specified as an expression. Can be retrieved using the "User Authenticators: User authenticators API" step or the [User Authenticators API](/openapi/user/authenticators.openapi/other/userauthenticators). |
| **Error output variable** | Name of the variable that stores any errors returned by the step. |
| **Failure behavior** | Determines the behavior in case of failure, which either aborts the journey or proceeds to a failure branch of the control flow (default). |


Journey event data
This step can be configured to record step input and output data, or a custom payload, which is then surfaced in journey events in Journey Analytics for diagnostic purposes. For details, see [Additional data reporting](/guides/orchestration/getting-started/event_reporting).