We have a pretty complex setup, but in the context of this question, let’s assume we have a Angular frontend and a .NET based API. The software is aimed at our customers for which we act as a SaaS provider.
Our user base (users are mainly our customers and some employees) is using both federations (SAML, AzureAD and OpenID) and username/password/MFA (= Auth0 database connection) authentication.
MFA is based on Guardian and a rule on our Auth0 tenant to make sure that it only applies to username/password users (so only for a particular database connection). Users can select OTP or Push, we do not use SMS or any other method.
We use the Auth0 hosted pages/universal login in classic mode (due to the different connections we cannot switch to the new user experience yet).
We are providing a custom self-service portal to our users (Angular SPA/.NET API). That portal allows our customers to manage their user accounts. When they create a user account for their organization, the portal will send out a user invitation email (so we are not using the Welcome email solution provided by the Auth0 platform). We use redirects for password reset and MFA enrollment tickets to make sure that the users end up in the right locations.
The main issue we are trying to solve, is that our users don’t understand MFA and are not reading manuals. We therefore want to make sure that the information is available on the page where the MFA enrollment happens.
Hope this clarifies the setup.