If I’d like to force user to use SMS, but user was using OTP.
And api.authentication.enrollWith does not work when I tested in the Authentication Profile, I guess it should bring me to the page of configuring SMS, but it does nothing.
Yes, you should be able to force the user to configure at least 2 MFA methods.
One solution is to use the api.access.deny() method to block the user from logging in until they have configured at least 2 MFA methods.
To keep track of how many methods a user has enrolled, you can either append this information in the user_metadata or find it by calling the Management API’s GET /api/v2/users/{id}/authentication-methods endpoint.
Yes, using the Post-Login action in your login flow should work.
Now, you won’t be able to redirect your user back to the enrollment page directly. But you can log them out so the session doesn’t stay “stuck” from being denied, and then you can allow them to reauthenticate and enroll with the other MFA factors. You will want to inform your users that they are being denied access until they have enrolled with at least 2 MFA factors.