Enable only email MFA

Hi! We started subscribed to the Enterprise plan to use email MFA.
We only want to use email as an MFA factor, but it seems we can’t enable email only.
Currently, we have both SMS and email options enabled.
Is there any way to enable only the email factor?
I understand email isn’t considered a true MFA according to posts from a few years ago, but I’m hoping there have been updates since then.

Actually, I found a way to enable only email MFA when the user logs in.

  1. Enabled ‘Customize MFA Factors using Actions’ in the Auth0 dashboard.
  2. Added the following code to the post-login Action:
exports.onExecutePostLogin = async (event, api) => {
    if (event.stats.logins_count > 1) {
        api.authentication.challengeWith({ type: 'email' });
    }
};

I used event.stats.logins_count > 1 because when a user registers, it increases logins_count to 1. If I remove that condition and execute api.authentication.challengeWith({ type: 'email' }) during registration, I get an error.

So, my question: Is there any way to display email MFA only when the user first registers?
By default, it displays other factors such as SMS.
I know Auth0 sends a verification email to the user, but I want to display the Email MFA option the same as when logging in.

Thank you in advance!

I haven’t visited the Auth0 community for a while, but for your information, I have resolved the issue.
Select the ‘Never’ for the Require Multi-factor Auth in the setting and added the code something like this

exports.onExecutePostLogin = async (event, api) => {
    if (event.stats.logins_count > 1) {
         if (event.user.email_verified) {
                 api.multifactor.enable('any')
                 api.authentication.challengeWith({ type: 'email' });
         }
    }
};

to enable only the email option.
I’m leaving this note for anyone who might have a similar issue.

1 Like

That’s great @ywaka thanks for sharing your solution! :white_check_mark:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.