MFA - Default Subset of Users to Email

We’ve recently received a requirement to default a subset of our users to email as their multifactor provider. These users are not allowed cell phones / devices at their desks, and are therefore unable to use the other methods available. We’ve attempted to override the default provider through rules, but SMS (our main MFA provider) is defaulted regardless. In short, we’d like to jump right to the last step of this diagram for a given user population:

How can this be accomplished?

Thanks in advance!

Hi @pbargerstock, Email can be used as a fallback MFA factor only - the user should always have something else as the primary factor. I think you may have already seen our docs here:

If this is a deal-breaker, two options for the users would be to:

  1. Use a desktop OTP generator app to enroll with the MFA, so they do not need the phone with them. I know 1-Password app supports this, but there might be other apps too.
  2. Ask the user to initially enroll through a device, and then always login with the ‘Try another method’ link and selecting ‘Email’. This is, of course, less preferable.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.