Hi All,
Going through the labs I didn’t quite catch MFA enrollment requirements. The scenario is:
- user was enrolled into SMS and Email
- when logging in they can select which factor to use
- we do MFA reset
- management dashboard shows that the user is enrolled into Email only (makes sense)
- user tries to log in and get a dialog to enroll into SMS and not being able to use Email
Can somebody please help to understand this experience? Having Okta background I expected a different behavior, but, I guess, it’s not relevant here.
Thanks in advance,
Philipp
Hi @phi1ipp,
Welcome to the Auth0 Community!
According to our blog post on the matter:
What about Email as the Only MFA Factor?
Currently, email MFA is only available as an optional backup multi-factor method. The user must have another method as the primary form of multi-factor authentication. Enabling email MFA as a standalone multi-factor method is on the Auth0 roadmap.
As for why; Email and password could be considered a single factor. If an attacker had access to a user’s email, they could also reset their password. We suggest requiring two separate factors, but you have the option of adding email.