Login with OTP sign-up recommended by bypassable

adamhersh10 · September 17, 2023, 6:37pm

I want my users to be prompted for OTP setup, but be able to fallback to email as 2FA if needed, such as the “Try Another Method”.
My users should be encouraged to sign-up for OTP/push-notifications without being required to.
Currently, my users do not require MFA when signing in (prior to Auth0 deployment), I would prefer a slower, phased approach to getting users enrolled rather than a waterfall of OTP requirements.
Similar to how Google will remind you to setup recovery information or enable MFA when signing in.

I had an action using “api.authentication.challengeWithAny([{ type: ‘email’ }, { type: ‘otp’ }]);” but this did not seem to do anything.
I did read here: Configure Email Notifications for MFA
That “You can only enable email as an MFA factor if there is already another factor enabled.”
Guessing that’s why the challenge is not working.

saltuka · September 17, 2023, 8:40pm

This API needs a support ticket to enable the feature for you. If you are a free customer that may not be possible until it is generally available.

Related link;

Having said this, for your use case it may be a better idea to enroll the users with MFA API documented on this link.

adamhersh10 · September 20, 2023, 7:40pm

Thanks for the feedback, didn’t realize it was early-access only.

We decided to disable MFA sign-up, and send users to a custom sign-up page to allow them to opt-in.