Configure Email Notifications for MFA
Using email as an MFA factor is useful when you want to provide users a way to perform MFA when they don't have their primary factor available (e.g. they don't have their phone to receive an SMS or push notification).
Email is not true MFA because it does not represent a different factor than the password. It does not represent something I have or something I am, but rather just something I know (the email password). It is also weaker than other factors in that it's only as secure as the email itself (for example, encrypted end-to-end).
Users do not need to explicitly enroll with email MFA. They will get be able to use it when they have a verified email. This happens when they:
Complete the email verification flow which updates the
email_verifiedfield using the Management API.
Log in with a connection that provides verified emails (such as Google).
You can only enable email as an MFA factor if there is already another factor enabled. Email will only be functional as a factor from Universal Login when you have the New Universal Login Experience enabled.
Once Email MFA is enabled, users will be prompted to complete MFA with another enabled factor. If they select Try another method, and then pick Email, they will be sent an email with a 6-digit code that they will need to enter to complete the authentication flow.
Configure email notifications
You can explicitly enroll email for MFA using the MFA API. If users have a verified email and one or more explicitly enrolled emails, they can to select which email they want to use to complete MFA when logging-in using Universal Login.
Go to Dashboard > Multifactor Auth and toggle Email. You will only be able to enable it if there is another factor enabled.