Background
I’m trying to enforce Email MFA only for certain users by using a Post Login Action:
if (event.user.app_metadata?.mfa === true) {
api.multifactor.enable("email");
// or api.multifactor.require("email");
}
The user’s email is verified (email_verified: true), and in the dashboard, it shows “MFA registered with Email.”
The /enrollments API returns an empty array, meaning no SMS is registered.
Yet, when the user logs in:
A 6-digit SMS code is sent instead of an email
Or sometimes, the user is prompted to enter a phone number to enable MFA
This user was created via email & password (database connection) — not Google login.
However, I (as admin) have previously logged in to the Auth0 dashboard via Google using the same email address (if that matters).
What I tried
Confirmed email_verified: true
Reset MFA via both dashboard and Management API (POST /multifactor/actions/reset)
Verified that /enrollments is empty
Ensured no phone number exists in the user profile
Replaced enable(“email”) with require(“email”) to force the method
Tried logging in again — still getting SMS prompt
What I’m trying to achieve
I want to:
Enforce Email MFA only, without SMS being triggered
Ensure that the user is never prompted to enter a phone number
Understand why SMS is being triggered even when it’s not registered or enabled
Any ideas on what might be causing this or how to enforce Email MFA more reliably?
Thanks in advance!