Problem Statement
Users have SMS enrollments but now need an option of enrolling in OTP MFA. This is enabled as an option but it seems users are not prompted to enroll in the OTP factor if they have SMS already.
Cause
This is expected behavior as Auth0 will only allow enrollment of one MFA factor when enrolling through the login/signup flow. If SMS is enrolled and want to add OTP for an alternate factor, it can be set via Management API.
Solution
The POST /api/v2/users/{id}/authentication-methods endpoint creates an authentication method for a given user. Authentication methods created via this endpoint will be auto confirmed and should already have verification completed. See here .
Auth0 will also use the most secure factor first, so these users will be prompted first for OTP, but can select another method and choose SMS instead.