It is a very odd behaviour that a more specific endpoint that queries by an index a single element brings less information that the generic one that needs to select many elements by query. Do I have to use a search if I know the user id just because the indexed method does not allow the information I need?
I have seen the Welcome to Auth0 Docs - Auth0 Docs , that brings more information than the multifactor field, but it requires an extra request, and the extra info is not needed.
This should be probably a bug. If you add no fields to the method then the multifactor field is included in the response, and the response schema in the API docs includes the field.
Allow me some time to research on my end regarding this endpoint behaviour and hopefully I can return with some additional information.
At this moment it does seem like a design choice, as the described behaviour is also reflected on my end. When attempting to add the " multifactor " field, it returns an error that lists all the possible field options and " multifactor " is not one of them, despite being returned when no filter is applied.
Depending on the use-case, I agree that our List or Search Users endpoint should be working well for cases where you require to list users with the multifactors, since as you’ve mentioned, it does accept multifactor as a searchable field.
After doing some research and some testing, I understand the confusion that this behaviour can create and currently it appears to be a product design choice. The Get a User endpoint displays the primary Authenticator of the user, while the Get a list of authentication methods will display the fallback authenticator, as TOTP is not considered a primary Authenticator.
Within the tenant, it is not possible to only enable Email ( as an example ) as a factor, but it needs an additional stronger factor, which will be the primary one, in order to Email to function as a MFA option. I have found the following Support article that goes over how to Distinguish between OTP and Fallback OTP for Push Authenticators, which provides some details regarding OTP authentication that we can use to understand the current behaviour.
I agree with @JFoxUK’s suggestion of submitting Product Feedback on this matter, as the page is being monitored by our Product team and they have visibility over all suggestions. Other users can cast their vote on all suggestions and can help accelerate the development of desired features/functionalities.
Hopefully I was able to provide some context on this matter, please do not hesitate to reach out to us for any other issues or concerns.
