Last Updated: Jan 2, 2025
Overview
This article describes how to configure Email as the only multi-factor authentication (MFA) factor for the tenant.
Applies To
- Multi-factor Authentication (MFA)
- Actions
Solution
‘Email’ can be configured as an MFA factor using one of two methods.
Configure via the dashboard
Steps to configure ‘Email’ as a factor:
- Login to the dashboard.
- Navigate to Security > Multi-factor .
- Select ‘Email’ from the list of MFA factors.
NOTE: ‘Email’ is not true MFA because it does not represent a different factor than the user’s password. For this reason, the dashboard will not allow ‘Email’ to be configured as the sole MFA factor.
Configure via the Management API
It is possible to configure ‘Email’ to be the sole MFA factor through a call to update the MFA Factor. For more information, read Update a multi-factor authentication factor. Here is a sample ‘curl’ command:
curl -H "Authorization: Bearer eyJ..redacted" -X PUT -H "Content-Type: application/json" -d '{"enabled":true}' https://[your-auth0-login-domain]/api/v2/guardian/factors/email
NOTE: Use of the Management API to enable ‘Email’ as the sole MFA factor is not something that should be advertised or encouraged. The official stance is that ‘Email’ should only be used as a secondary MFA factor.
Additional Points
-
‘Email’ is only supported as an MFA factor when New Universal Login has been configured in the tenant
-
If ‘Email’ is the only factor and the user’s email address has not been verified, turning on MFA by setting “Always” in the “Require Multi-factor Auth” setting will cause a login failure with “No MFA factors enabled for enrollment”.
To avoid this error, set the user’s email as Verified during the account creation/sign-up step after confirming that the email belongs to the user. -
Alternatively, set MFA to “Never” in the “Require Multi-factor Auth” setting and then trigger the MFA with a Post-Login Action for the users who have completed the email verification. Here is a sample Action:
exports.onExecutePostLogin = async (event, api) => {
if (event.user.email_verified) {
api.multifactor.enable('any', { allowRememberBrowser: true });
}
};
This simple Action does not handle the Silent Authentication and Refresh Token flows, so it needs to be updated according to application requirements.