That’s an interesting question. Suppose you have a user who has a verified mobile number but who doesn’thave a verified email address. Does this let them work around the need to have a verified email address? In other words, can you log on by using your mobile device and call it good?
No, you can’t. Admittedly, at first it might look like you can bypass the need to have a verified email address. After you’ve been authenticated, you’ll see the screen that enables you to pick the desired 2FA method:
Click *********99 (which is simply a masked copy of the user’s mobile phone number) and an access code is sent to your mobile device. You can then enter that code in the Access Code Required screen:
However, that does not log you in. Instead, after that access code has been verified, a second code is sent to your email address:
This code is sent because your email address hasn’t been verified. You must supply the access code before you can log in and before you can be issued an access token.
This won’t happen very often (if ever), but if you do have a user who has a verified mobile number but not a verified email address, that user still must verify their email address before they can log on.
And what if you haven’t verified either your email address or your mobile number? In that case, the access code is automatically sent to your email address:
In turn, you won’t be given the option to use your mobile device for 2FA until you’ve accessed your user profile and verified your mobile number.
- An Introduction to Two-Factor Authentication
- Enabling and Disabling Two-Factor Authentication
- Modifying the traditionalRegistrationForm and the socialRegistrationForm Forms
- Two-Factor Authentication and User Registrations
- Two-Factor Authentications and User Logins
- What Happens if a Two-Factor Authentication Session Gets Interrupted?