Overview
The user profile has multifactor[] as an empty array object even when email MFA is enrolled.
Solution
When email/biometrics is the only enrolled factor, the user is still allowed to enroll in another factor. Email is generally enrolled implicitly (by verifying the user’s email address) and is not considered a secure factor.
The ‘multifactor ’ property is cleared when only email enrollment is detected. It’s worth noting that manually deleting users’ MFA factors while email is still part of the enrolled MFA will reset ‘multifactor’.