I am using the Authy API for TOTP authentication. Many users prefer to use google authenticator and don't want to download the Authy app. So I am using the authy API as mentioned here to get the QR code for Google Authenticator (https://www.twilio.com/docs/authy/api/one-time-passwords#other-authenticator-apps).
One security issue I see here is that users might want to change their authenticator secret time to time and twilio doesn't have a direct API to renew the secret. Is there a way to achieve that outcome?
One solution I can think of is to delete the use and create a new one but I am hoping to find a better option.
Twilio developer evangelist here.
Every time you make a request to the API to generate a new secret and QR code the old one is invalidated. So to update a user's secret, just request the same API again.
This does seem like an edge case though, I might suggest that you wait for a user to request this rather than build a feature you don't necessarily need.
If you are looking for automated token management, then using the Authy app and Authy generated tokens is the best option. Because the app and the API work together, tokens can be rolled automatically by Authy without the user having to worry.
Edit
We have added the following to the documentation to clarify this for the future:
Note, each QR code request will generate a unique TOTP seed. As such, you can only have a single active QR code per user per protected site. Requesting an additional QR code for a user will invalidate the previous secret and generate a new QR code.