Resetting User's MFA in Dashboard does not Remove Email Enrollment

Problem statement

Why does resetting a user’s MFA in the dashboard not remove the email enrollment?

Solution

This occurs for two reasons:

  1. Email is only intended to be used as a backup factor.
  2. Users are automatically enrolled to the email factor if their email address is verified and the email factor is enabled in the tenant.

Refer to the following article for more details - Configure Email Notifications for MFA

Email is not a true MFA because it does not represent a different factor than the password. It does not represent something I have or something I am, but rather just something I know (the email password). It is also weaker than other factors because it is only as secure as the email itself (for example, encrypted end-to-end).

Users do not need to explicitly enroll with email MFA. They will be able to use it when they have a verified email. This happens when they:

  • Complete the email verification flow, which updates the email_verified field using the Management API.
  • Login with a connection that provides verified emails (such as Google).

Email can only be enabled as an MFA factor if another factor is already enabled.

In short, it’s not intended that some users will have an email enrollment and others will not. It serves only as a backup to a primary factor, and users are implicitly enrolled into email MFA if enabled and, as mentioned above, if their email address is verified.