We currently have SMS/Phone MFA enabled but would like to also provide the option for our users to exclusively use e-mail. Enabling the e-mail option is easy enough and when the user is met with the SMS MFA screen they have the option to select “Try another way”.
However, it appears that the user still has to initially provide a phone number and can’t simply select the email option until a phone number has been set and verified.
Is there a way around this without requiring a user to have a phone?
Currently, email MFA is only available as an optional backup multi-factor method. The user must have another method as the primary form of multi-factor authentication. Enabling email MFA as a standalone multi-factor method is on the Auth0 roadmap.
Thanks for your response. The reason why we want to provide e-mail is because we may have users who don’t have access to a phone.
Alternatively, we would perhaps be open to have the option to disable SMS MFA for select users, but this isn’t possible as I understand it. However, would there be a way to accomplish selected SMS MFA using rules and custom attributes?
If a user has setup SMS or TOTP MFA, would it be possible to disable e-mail MFA for that user?
We enabled e-mail MFA for users that can’t or don’t have a company phone or want to use their private phone to setup SMS MFA or install/setup an app like Google Authenticator.
The downside is though that for other users, that do have this setup, are now also able to use the e-mail MFA which I feel makes their accounts less secure.
If - in a hypothetical situation - a malicious user knows your password and also has access to your inbox (which - let’s be honest - in many cases is possible because it was setup using that same password), they’ll just login with your username and password and use the e-mail MFA to get in.
I feel it would be nice to protect users that took the effort to setup MFA on their devices.