> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-docs-event-stream-action-templates.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> Describes limitations of Identifiers and Attributes.

# Flexible Identifiers and Attributes

<Warning>
  Enabling Flexible Identifiers on your tenant has the potential to introduce breaking changes to your production environment. Test this feature thoroughly in a development environment and note your current connection settings before releasing it widely.
</Warning>

A **Flexible Identifier** is the attribute a user inputs on a login screen to authenticate themselves. You can choose from email, username, phone, or a combination of two or more.

### Attribute and Identifier definitions

For this product, an **Attribute** is a piece of user data that can be stored, such as email, phone number, and username. All Identifiers are Attributes, but only specific attributes are Identifiers.

An **Identifier** is a unique Attribute that recognizes a distinct user in a given connection. Email, phone, and username can uniquely identify an individual and serve as Identifiers, while other attributes contribute to the user's profile without uniquely identifying a user.

### Use Flexible Identifiers

Flexible Identifiers is for general access with the following limitations:

* Flexible Identifiers, including the phone attribute, are only available with [Universal Login](/docs/authenticate/login/auth0-universal-login/universal-login-vs-classic-login/universal-experience) and you must [configure a phone provider](/docs/customize/phone-messages/configure-phone-messaging-providers).
* You must configure [Identifier First](/docs/authenticate/login/auth0-universal-login/identifier-first) to use phone verification on signup.
* The email address attribute must be enabled to use [Adaptive MFA](/docs/secure/multi-factor-authentication/adaptive-mfa).
* You must have email on the User Profile to use Signup invites for [Organizations](/docs/manage-users/organizations/organizations-overview).
* End users blocked under <Tooltip tip="Brute-force Protection: Form of attack protection that safeguards against brute-force attacks that occur from a single IP address and target a single user account." cta="View Glossary" href="/docs/glossary?term=Brute+Force+Protection">Brute Force Protection</Tooltip> cannot unblock themselves via an SMS message. Other methods are available; to learn more, [read Brute Force Protection](/docs/secure/attack-protection/brute-force-protection).
* Flexible Identifiers moves the identifier field to the first login screen and changes the reset password prompt from email to username.
* OTP tokens for phone and email identifier verification have a lifetime of 900 seconds.

### Issues using Flexible Identifiers

The following is a list of potential issues you may encounter while configuring and managing Flexible Identifiers:

* If the scope `phone` is not specified in the authorization request by your application, you will not receive the `phone_number` claim. To learn more about scopes, [read Scopes](/docs/get-started/apis/scopes).
* Your Get User custom database action script must be valid when **Import Users to Auth0** is set to **on.** To learn more, [read Configure Automatic Migration from Your Database](/docs/manage-users/user-migration/configure-automatic-migration-from-your-database).
* Each user must be assigned a unique username, email address, and phone number regardless of connection type. The phone number is unique even if not added as an attribute.
* If you use the custom database action script Change Password and want to set `email` and `email_verified` to `True`, you must return the preferred `email_verified` state on the object. To learn more, [read Change Password](/docs/authenticate/database-connections/custom-db/templates/change-password).
* If you use a custom database connection with Import Users to Auth0 toggled off, you must align your user profile properties with the Auth0 normalized user profile. To learn more, [read Normalized User Profile](/docs/manage-users/user-accounts/user-profiles/normalized-user-profiles).
* If you use a custom database connection with Import Users to Auth0 toggled on, Auth0 will check for uniqueness of `phone_number` and `phone_verified.`
* Identifier First prompts display all identifiers on the first screen and remove your previous settings, and the Reset Password prompt will display the input field to Username instead of Email.
* Familiarize yourself with best practices to avoid SMS Pumping attacks. To learn more, read our [whitepaper on SMS Pumping](https://www.okta.com/resources/whitepaper-handling-toll-fraud-and-sms-pumping-with-twilio-in-the-okta-customer-identity/).