Why enroll in SMS if Email factor is enrolled

phi1ipp · October 14, 2022, 6:45pm

Hi All,

Going through the labs I didn’t quite catch MFA enrollment requirements. The scenario is:

user was enrolled into SMS and Email
when logging in they can select which factor to use
we do MFA reset
management dashboard shows that the user is enrolled into Email only (makes sense)
user tries to log in and get a dialog to enroll into SMS and not being able to use Email

Can somebody please help to understand this experience? Having Okta background I expected a different behavior, but, I guess, it’s not relevant here.

Thanks in advance,
Philipp

dan.woda · October 27, 2022, 6:29pm

Hi @phi1ipp,

Welcome to the Auth0 Community!

According to our blog post on the matter:

What about Email as the Only MFA Factor?

Currently, email MFA is only available as an optional backup multi-factor method. The user must have another method as the primary form of multi-factor authentication. Enabling email MFA as a standalone multi-factor method is on the Auth0 roadmap.

As for why; Email and password could be considered a single factor. If an attacker had access to a user’s email, they could also reset their password. We suggest requiring two separate factors, but you have the option of adding email.

system · November 10, 2022, 6:30pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.