Trying to enforce Email MFA but SMS is being triggered instead

Background

I’m trying to enforce Email MFA only for certain users by using a Post Login Action:

if (event.user.app_metadata?.mfa === true) {
  api.multifactor.enable("email");
  // or api.multifactor.require("email");
}

The user’s email is verified (email_verified: true), and in the dashboard, it shows “MFA registered with Email.”
The /enrollments API returns an empty array, meaning no SMS is registered.

Yet, when the user logs in:

A 6-digit SMS code is sent instead of an email

Or sometimes, the user is prompted to enter a phone number to enable MFA

This user was created via email & password (database connection) — not Google login.
However, I (as admin) have previously logged in to the Auth0 dashboard via Google using the same email address (if that matters).

What I tried

Confirmed email_verified: true

Reset MFA via both dashboard and Management API (POST /multifactor/actions/reset)

Verified that /enrollments is empty

Ensured no phone number exists in the user profile

Replaced enable(“email”) with require(“email”) to force the method

Tried logging in again — still getting SMS prompt

What I’m trying to achieve

I want to:

Enforce Email MFA only, without SMS being triggered

Ensure that the user is never prompted to enter a phone number

Understand why SMS is being triggered even when it’s not registered or enabled

Any ideas on what might be causing this or how to enforce Email MFA more reliably?

Thanks in advance!

Hi @s.kimura,

Welcome to the Auth0 Community!

The enable() method turns on the ability to use email as an MFA method. This should be enabled from the dashboard at Security > Multi-factor Auth. If you want to customize which MFA factor challenges the user, you must set Require Multi-factor Auth to Never, and turn off MFA Risk Assessors.

Save, and then, at Additional Settings, turn on Customize MFA factors using Actions

However, you’ll see that the dashboard doesn’t allow you to turn on email MFA alone.

As stated in the docs here, email MFA is not a “true” MFA method; therefore, it can’t be the only one turned on. It needs something like SMS or OTP turned on alongside it, which the method you used might’ve automatically turned on.

The challengeWith() function from the ManagementAPI will challenge the user using the email MFA method. You can read more about this from our docs.

exports.onExecutePostLogin = async (event, api) => {
   api.authentication.challengeWith({type: 'email'});
} 

However, to use it, you will still need to enable other methods of MFA, like SMS or OTP.

If you have any other questions, feel free to reach out.

Have a good one,
Vlad

1 Like

Hi @vlad.murarasu ,

Thanks a lot — it worked perfectly!
Your detailed explanation and step-by-step guidance helped me solve the issue completely.
Really appreciate your support.

Have a great day!

— s.kimura

1 Like