Hi @idm_hunt,
Thanks for raising your question!
Yes, that is by design and is best explained in the excerpt below:
(Reference: Configure Email Notifications for MFA)
Because of this reason, it’s not possible to configure email to be the first MFA enrollment option and will default to the most secure factor enabled. Please see this knowledge solution which addresses this.
Thanks,
Rueben