Problem Statement
Email MFA is not showing up in the options, although it is enabled.
Symptoms
Users can’t see the email factor in the MFA options.
Steps to reproduce
- Login
- Prompted to MFA
- Try another method and look out for the email factor
Troubleshooting
- Check users’ enrollment for MFA (reset if needed).
- Check for users’ email verification status.
- Check the email factor in Dashboard > MFA.
Cause
Email factor has the following requirements:
- it only works with New Universal Login
- it needs to be an alternative to other factors
- it can be activated by users after they complete a second-factor authentication with another method (SMS, Guardian, etc.). It can’t be started first (not a valid 2FA).
Additionally, users do not need to enroll with email MFA explicitly. They will be able to use it when they have a verified email. If you reset MFA for a user, but the email factor is toggled on in the dashboard, it will remain enrolled since the email is verified.
Solution
1. Complete verification
Here are some ways in which email completes verification:
- Users can complete the email verification flow, which updates the email_verified attribute to true.
- A tenant Admin can edit a user configuration and set email as verified
- Users can log in with a connection that provides verified emails (such as Google)
2. Enrollment with another factor (other than email)
After this, the user can add the email factor to MFA.
The theory behind this is that email is the primary factor in authenticating an individual, so it cannot be a valid second factor. But after another method reinforces the authentication, a user can choose to receive a code in the email account.