Why enroll in SMS if Email factor is enrolled

Hi All,

Going through the labs I didn’t quite catch MFA enrollment requirements. The scenario is:

  • user was enrolled into SMS and Email
  • when logging in they can select which factor to use
  • we do MFA reset
  • management dashboard shows that the user is enrolled into Email only (makes sense)
  • user tries to log in and get a dialog to enroll into SMS and not being able to use Email

Can somebody please help to understand this experience? Having Okta background I expected a different behavior, but, I guess, it’s not relevant here.

Thanks in advance,

Hi @phi1ipp,

Welcome to the Auth0 Community!

According to our blog post on the matter:

What about Email as the Only MFA Factor?

Currently, email MFA is only available as an optional backup multi-factor method. The user must have another method as the primary form of multi-factor authentication. Enabling email MFA as a standalone multi-factor method is on the Auth0 roadmap.

As for why; Email and password could be considered a single factor. If an attacker had access to a user’s email, they could also reset their password. We suggest requiring two separate factors, but you have the option of adding email.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.