I have been trying to implement auth0 MFA with my web app and I have been running in some issues.
I am not able to set email only MFA for users, it makes me enable more than just email, which leads the user to set MFA with other factor such as phone number.
Whenever the user logs successfully through MFA it redirect it to the login page (loop) unless the user checks remember this browser.
I am not able to set this for some users only, I have been able to set it up required or disabled for all users.
Email for MFA can only be a secondary factor at this time.
The redirect loop could be the application /callback endpoint redirecting back to the login page for some reason.
An example would be your /callback endpoint makes a silent authentication request to /authorize to get an Access Token for a different audience. MFA is enforced on all authentications, so this triggers a redirect to the Auth0 Login page.
If you want fine-grain control over when MFA is triggered, you can handle this through Actions or Rules using javascript.
You would set Require Multi-factor Auth to None in the dashboard and use an Action or a Rule to initiate it based on conditions.
I’m including some links that I think will be helpful.
Auth0 Actions:
Enforce Custom MFA policy from Auth0 Post Login Action:
MFA with Silent Authentication (note the example is using a rule, you can also do this in an Action):