We’re assuming that, after your users log on, two-factor authentication kicks in and the user sees a screen similar to this:
As the screen makes clear, the user’s access code was automatically sent to their email address. And that’s fine. Except that other users log in and see a screen like the following, a screen that gives them an option of having their access code sent by email or sent to their mobile device via text message:
So what makes these users so special that they get to have access codes sent via email or text message?
To be honest, there’s nothing special about these users (at least not that we know about). Instead, they get the option to have access codes sent via text messaging simply because they have a verified mobile device number. That’s it. Does a user have values configured for the mobileNumber and mobileNumberVerifiedattributes in their user profile:
In that case, they’ll have the option of having access codes sent by email or by text message. If those attribute values are blank, then access codes are automatically sent via email:
If a user wants the option of receiving access codes via text message all they need to do is add (and verify) their mobile device number.