MFA methods with first login

Problem statement

We have successfully set up Multi-Factor Authentication (MFA) for a separate application using Actions and application metadata. We have also enabled multiple MFA options such as One-time password, Email, and Recovery Code. Additionally, we have enabled the “Show Multi-Factor Authentication options” setting.

Is there a way to configure a setting that allows users to switch between MFA methods during their first login? Currently, when I attempt to log in for the first time with MFA enabled, I am required to set up an Authentication app by scanning a QR code. After that, I was able to change the MFA method.

Solution

If the three factors you intend to have enabled are just OTP, Email, and Recovery Code, then unfortunately we do not have a way to present the user with a choice on enrollment between these three. This is because Email and Recovery Code are only considered to be backups to the primary MFA factors, and cannot be the only factor that a user is enrolled with.

If you did intend for any of the other factors to be enabled as well, such as SMS, then you could enable Show Multi-Factor Authentication options on the bottom of the Multi-Factor settings page in the dashboard. This will display a screen with different buttons for enrollment options instead of automatically providing the most secure option to the user.