We currently have SMS set up as a 2FA. But some of our users are having issues (no phone I guess) and we want to enable email as 2FA. (Yes we realize it isn’t consider true 2fA, oh well)
Under Security/MFA we have “email” enabled. Require MFA is set to never. Show MFA options is enabled. Then we have a post-login trigger that essentially does “api.multifactor.enable(‘any’, { allowRememberBrowser: true });”
When the user creates an account they are asked to verify the email. They then verify the email and then they are asked to enter a phone number to get an sms.
How can we set this second one up to select email or sms?
Hi @chris.mcbride,
Welcome back to the Auth0 Community!
The email factor can not be set as stand-alone MFA factor for a user.
Since you are using an action which imposes the api.multifactor.enable(‘any’, ...); method, you are essentially enforcing users into enrolling in MFA and they need to establish a primary/independent MFA factor such as WebAuthn with FIDO, OTP, Push-Notification, SMS or Duo, as mentioned in the Enable Multi-Factor Authentication.
Our Configure Email Notifications for MFA also points that:
Users do not need to explicitly enroll with email MFA. They can use it when they have a verified email. This happens when they:
- Complete the email verification flow which updates the
email_verifiedfield using the Management API.- Log in with a connection that provides verified emails (such as Google).
However, once an independent factor has already been set for a user, they can choose their preferred MFA method at the time of login, such as email MFA as well. This can be accomplished by enabling the Show Multi-Factor Authentication options setting, detailed in this article - Setting MFA Default Factor when Multiple MFA Factors are Enabled.
Because your Action is triggering a brand-new enrollment, the user must provide a primary factor (like SMS) first. Once that is done, they can then use the ‘Try another method’ link in the future to switch to Email. If you have users who truly cannot provide a phone number, you may want to enable Authenticator Apps (OTP) as an alternative primary factor in your Dashboard.
I hope this helps and if you have further questions please let me know!
Best regards,
Remus
Thank you for the response. It seems to me that if someone can’t use a phone number, the chances that they can use OTP is even lower.
I’m not sure I understand the design decision. But it is frustrating that you have an option that says “Users will receive an email message containing a verification code.” But doesn’t actually work. I guess it would be nice, if the Email option won’t work by itself is to make that clear.
Part of the issue is the documentation isn’t clear, and there are old posts the imply that it is coming.
Edit: Just want to point out, that your reply is even confusing. You start with “The email factor can not be set as stand-alone MFA” then you mention “Configure Email Notifications for MFA” which you say, says “They can use it [email] when they have a verified email.”
honestly this is confusing. In one spot you say you can’t to it, then another spot you imply it can be done.
Now may it can be done, but WE can’t do it because we are enforcing our users to enroll in MFA.
Hi @chris.mcbride,
Thank you for replying to this thread. I totally understand that the documentation can be a bit confusing when it comes to registering Email as an MFA factor. As you have mentioned as well, this is a design decision, as Email is not considered a true Multi-Factor Authenticator and the recommendation is to only use Email as a secondary factor.
However, I was able to find a workaround for your use case. You can set the MFA to Never in the Require Multi-factor Auth setting, then trigger MFA with a Post-Login Action for users who have completed email verification.
Here is a sample action code that I have tested as well and prompts users only for email MFA:
exports.onExecutePostLogin = async (event, api) => {
if (event.stats.logins_count > 1) {
if (event.user.email_verified) {
api.multifactor.enable('any')
api.authentication.challengeWith({ type: 'email' });
}
}
};
Please be advised that this is a simple action code, and it might need updates depending on your application’s requirements.
I hope this aligns better with your environment and if you have further questions please let me know.
Kind regards,
Remus