MFA with Email as an Only Factor

Problem statement

How to configure Email as the only MFA factor in the tenant?


‘Email’ can be configured as an MFA factor using one of two methods.

  • 1. Configure via the dashboard

Steps to configure ‘Email’ as a factor:

  1. Login to the dashboard.
  2. Navigate to Security > Multi-factor .
  3. Select ‘Email’ from the list of MFA factors.

NOTE: ‘Email’ is not true MFA because it does not represent a different factor than the user’s password. For this reason, the dashboard will not allow ‘Email’ to be configured as the sole MFA factor.

  • 2. Configure via the Management API

It is possible to configure ‘Email’ to be the sole MFA factor through a call to update the MFA Factor. For more information, read Update a multi-factor authentication factor. Here is a sample ‘curl’ command:

curl -H "Authorization: Bearer eyJ..redacted" -X PUT -H "Content-Type: application/json" -d '{"enabled":true}' https://[your-auth0-login-domain]/api/v2/guardian/factors/email

NOTE: Use of the Management API to enable ‘Email’ as the sole MFA factor is not something that should be advertised or encouraged. The official stance is that ‘Email’ should only be used as a secondary MFA factor.

Additional Points

  • ‘Email’ is only supported as an MFA factor when New Universal Login has been configured in the tenant
  • If ‘Email’ is the only factor and the user’s email address has not been verified, turning on MFA by setting “Always” in the “Require Multi-factor Auth” setting will cause a login failure with “No MFA factors enabled for enrollment”.

To avoid this error, set the user’s email as Verified during the account creation/sign-up step after confirming that the email belongs to the user.

  • Alternatively, set MFA to “Never” in the “Require Multi-factor Auth” setting and then trigger the MFA with a Rule or Action for the users who have completed the email verification. Here is a sample Rule:
function multifactorAuthentication(user, context, callback) {
 if (user.email_verified === true) {
    context.multifactor = {
      provider: 'any',

      // optional, defaults to true. Set to false to force authentication every time.
      // See  frequency-of-authentication-requests for details
      allowRememberBrowser: false
  callback(null, user, context);

This simple Rule does not handle the Silent Authentication and Refresh Token flows, so it needs to be updated according to application requirements.

Related References