On my free account, I enabled MFA (Guardian and Email), and am using the New Universal Login (not Classic). When testing authentication, my users see an option to use Guardian only – there is no indication that an email will be sent for MFA. However, the user does receive the email.
From the user’s perspective, this is broken, because they cannot verify their account without using Guardian, but they get an email for verification.
Hi @capoeiranewsonline and welcome to the Auth0 Community!
From what you’ve described that sounds like the expected behavior for the MFA flow, which by default will prompt the user first with the most secure authentication method available (in your case the Guardian app). Are you looking for perhaps some dialogue box that the end-user can see informing them to verify their email as well? I don’t quite understand how they’d interpret this flow as broken, but it may be a bit confusing if they weren’t aware that there was multi-factor auth enabled.
Best,
Colin
Thanks for the reply, Colin.
If what you’ve described is true, this phrase in the Auth0 docs is misleading:
“Users will be able to use any of the factors enabled in the Dashboard.”
The user is not able to use any of the factors, but only the “most secure” factor as determined by Auth0. Additionally, there is no indication that the user may check their email to verify their account in a different way – they are simply presented with the Guardian option and the typical user would be likely to bounce away at that point, given the friction this presents.
In my opinion, the MFA+Email experience is broken as it is not presented to the user at all. Given that MFA is almost a necessity now for secure applications, this is a determining factor when choosing to use Auth0 or another solution.