We’ve recently received a requirement to default a subset of our users to email as their multifactor provider. These users are not allowed cell phones / devices at their desks, and are therefore unable to use the other methods available. We’ve attempted to override the default provider through rules, but SMS (our main MFA provider) is defaulted regardless. In short, we’d like to jump right to the last step of this diagram for a given user population: https://cdn2.auth0.com/docs/media/articles/multifactor-authentication/mfa-email.png
If this is a deal-breaker, two options for the users would be to:
Use a desktop OTP generator app to enroll with the MFA, so they do not need the phone with them. I know 1-Password app supports this, but there might be other apps too.
Ask the user to initially enroll through a device, and then always login with the ‘Try another method’ link and selecting ‘Email’. This is, of course, less preferable.