Adding the phone number used during MFA in the ID Token in a rule may not be possible since MFA occurs after rules execute in the auth flow.
After MFA, if you have the disable_management_api_sms_obfuscation flag set to true in your tenant settings (see answer: Getting Users' Phone Numbers - #9 by Saltuk), then you can use the
GET/api/v2/guardian/enrollments/{id} to get the user’s phone number.
{
"id": "dev_abc123",
"status": "confirmed",
"phone_number": "+1 1234567891",
"type": "sms",
"last_auth": "2021-03-10T15:26:14.012Z"
}
Or you could use progressive profiling to ask the user for the phone number on a subsequent login.