This article addresses an issue where users are not prompted to enroll in a One-Time Password (OTP) factor for Multi-Factor Authentication (MFA) if they are already enrolled using Short Message Service (SMS).

• Multi-Factor Authentication (MFA)

• Short Message Service (SMS)

• One-Time Password (OTP)

This is expected behavior. Auth0 only permits enrollment of one MFA factor during the standard login or signup flow.

If an SMS factor is enrolled and an additional OTP factor is required, it must be set using the Management API.

• Use the following endpoint to create the new authentication method for the user:

  POST /api/v2/users/{id}/authentication-methods

• Authentication methods created via this endpoint are auto-confirmed and are considered verified. For more details, see the Auth0 Management API v2 Documentation.

  NOTE: Auth0 prompts for the most secure factor first. After this change, users will be prompted for OTP first, but they retain the option to select another method and choose SMS instead.