Email Converter
Features like Full Site Protection will stop users from enrolling in a standard way as they will not have any option to enter their credentials without providing their second factor first.
It is possible however to enroll users beforehand - provided their username is also an email.
This functionality needs to be enabled globally under settings and use a proper, working email gateway.
To enable an email converter within an application representation you need to enable the function under Advanced Configuration and whitelist emails that would be enabled to use this functionality:
The emails can be input as a list of entries with each entry in a new line.
To use the email converter users need to navigate to a specific URL crafted from the protected application domain, for example: