Users with MFA but multifactor[] is Missing

Overview

The user profile has multifactor[] as an empty array object even when email MFA is enrolled.

Solution

When email/biometrics is the only enrolled factor, the user is still allowed to enroll in another factor. Email is generally enrolled implicitly (by verifying the user’s email address) and is not considered a secure factor.

The ‘multifactor ’ property is cleared when only email enrollment is detected. It’s worth noting that manually deleting users’ MFA factors while email is still part of the enrolled MFA will reset ‘multifactor’.