Problem statement
We noticed if we try to reset the 2FA factors for an existing profile in the Auth0 dashboard, all associated factors are successfully removed except the Email enrollments.
Why is this happening? Is there something special about Email enrollments?
The weird thing is, after the reset, if we check on the rules pipeline for the user.multifactor array, that array is empty, even when the profile says that there is one factor “Enrolled using Email”
Solution
Here are the reasons for why this happens:
-
Email is only intended to be used as a backup factor.
-
Users are automatically enrolled to the email factor if their email address is verified and the email factor is enabled in the tenant.
You can find more details in the following article: Configure Email Notifications for MFA
Email is not a true MFA because it does not represent a different factor than the password. It does not represent something I have or something I am, but rather just something I know (the email password). It is also weaker than other factors in that it's only as secure as the email itself (for example, encrypted end-to-end).
Users do not need to explicitly enroll with email MFA. They will be able to use it when they have a verified email. This happens when they:
Complete the email verification flow which updates the email_verified field using the Management API.
Log in with a connection that provides verified emails (such as Google).
You can only enable email as an MFA factor if there is already another factor enabled.
In short, it’s not intended that some users will have an email enrollment and others will not. It serves only as a backup to a primary factor, and users are implicitly enrolled into email MFA if enabled, and as mentioned above if their email address is verified.