When multiple MFA factors are enabled, we need guidance on how to set the default factor for when the user is first prompted for MFA.
- Multiple factors enabled
- One of them is always showed by default when the user is prompted for MFA
- Enable multiple factors with different levels of security considered such as email, SMS and OTP
- Trigger MFA and notice always one of them is showed by default
This is set by level of security considered for each factor, and can’t be configured. Some factors are considered less risky than others and it causes that these ones are set as the default factor when prompting: push > OTP > SMS.
The default factor cannot be changed, however the enrollment page can be configured to show all of the enabled MFA factors for the user to choose from.
- In the Additional Settings section, locate the Show Multi-factor Authentication options setting.
- Enable this toggle to allow users to select authentication factors upon enrollment.
- Disable this toggle to allow Auth0 to automatically select the most secure authentication factors upon enrollment.