We received the “invalid_request (No MFA factors enabled for enrollment)” error after disabling WebAuthn Device Biometric.
The ‘Identifier First + Biometrics’ Authentication Profile was enabled with the New Universal Login experience. However, the Universal Login page has been customized, which means the tenant is using the Classic Login experience, which has automatically updated the Authentication profile to ‘Identifier + Password’ as the ‘Identifier First + Biometrics’ is only available with the New Universal Login experience.
Navigate to Dashboard → Authentication → Authentication Profile → click on ‘Identifier + Password’ option (even if it appears to be selected) → click on the ‘Save’ on the top right corner:
This will override the previously selected ‘Identifier First + Biometrics’ Authentication Profile with ‘Identifier + Password’.
Now when you disable the ‘WebAuthn with FIDO Device Biometrics’ MFA option in Dashboard → Security → Multi-factor, the user should be able to login successfully without provide biometrics.