Configure Email Notifications for MFA
Use email as a multi-factor authentication (MFA) factor to provide users a way to perform MFA when they don't have their primary factor available (e.g. they don't have their device to receive an SMS or push notification).
Availability varies by login implementation
The login implementation you use affects whether this feature is available. To learn more, read Universal Login vs. Classic Login.
Email is not true MFA because it does not represent a different factor than the password. It does not represent something I have or something I am, but rather just something I know (the email password). It is also weaker than other factors in that it's only as secure as the email itself (for example, encrypted end-to-end).
Users do not need to explicitly enroll with email MFA. They will get be able to use it when they have a verified email. This happens when they:
Complete the email verification flow which updates the
email_verified
field using the Management API.Log in with a connection that provides verified emails (such as Google).
You can only enable email as an MFA factor if there is already another factor enabled.
Once Email MFA is enabled, users will be prompted to complete MFA with another enabled factor. If they select Try another method, and then pick Email, they will be sent an email with a 6-digit code that they will need to enter to complete the authentication flow.
Configure email notifications
You can explicitly enroll email for MFA using the MFA API. If users have a verified email and one or more explicitly enrolled emails, they can choose to select which email they want to use to complete MFA when logging-in using Universal Login.
Go to Dashboard > Security > Multi-factor Auth and enable the Email toggle. You will only be able to enable it if there is another factor enabled.
Auth0 provides a test email provider but it only allows a limited amount of emails, so you should configure your own email provider. To learn more, read Configure External SMTP Email Providers.