Enable both SMS and email MFA without requiring a phone number?

We currently have SMS/Phone MFA enabled but would like to also provide the option for our users to exclusively use e-mail. Enabling the e-mail option is easy enough and when the user is met with the SMS MFA screen they have the option to select “Try another way”.

However, it appears that the user still has to initially provide a phone number and can’t simply select the email option until a phone number has been set and verified.

Is there a way around this without requiring a user to have a phone?

Hi!

Currently, email MFA is only available as an optional backup multi-factor method. The user must have another method as the primary form of multi-factor authentication. Enabling email MFA as a standalone multi-factor method is on the Auth0 roadmap.

from this doc:

1 Like

Thanks for your response. The reason why we want to provide e-mail is because we may have users who don’t have access to a phone.

Alternatively, we would perhaps be open to have the option to disable SMS MFA for select users, but this isn’t possible as I understand it. However, would there be a way to accomplish selected SMS MFA using rules and custom attributes?

Sorry about the late reply,
Yes, you can use rules for custom MFA flows.

We have documentation around MFA in rules, including some sample contextual use cases here: Customize Multi-Factor Authentication Pages