Email MFA Not Visible for Enrolled Users

Problem Statement

Email MFA is not showing up in the options, although it is enabled.

Steps to reproduce

  1. Login
  2. Prompted to MFA
  3. Try another method and look out for the email factor

Cause

Email factor has the following requirements:

  • it only works with New Universal Login
  • it needs to be an alternative to other factors
  • it can be activated by users after they complete a second-factor authentication with another method (SMS, Guardian, etc.). It can’t be started first (not a valid 2FA).

Additionally, users do not need to enroll with email MFA explicitly. They will be able to use it when they have a verified email. If you reset MFA for a user, but the email factor is toggled on in the dashboard, it will remain enrolled since the email is verified.

Solution

1. Complete verification

Here are some ways in which email completes verification:

  • Users can complete the email verification flow, which updates the email_verified attribute to true.
  • A tenant Admin can edit a user configuration and set email as verified
  • Users can log in with a connection that provides verified emails (such as Google)

2. Enrollment with another factor (other than email)

After this, the user can add the email factor to MFA.

The theory behind this is that email is the primary factor in authenticating an individual, so it cannot be a valid second factor. But after another method reinforces the authentication, a user can choose to receive a code in the email account. You can find more information about this topic here: