Email Authentication (MFA)

The Email Authentication factor allows users to authenticate themselves by clicking an email magic link or using a six-digit code as a one-time password (OTP). Okta sends these authentication methods in an email message to the user's primary email address, which helps verify that the person making the sign-in attempt is the intended user. If the user doesn't click the email magic link or use the OTP within the challenge lifetime, the user isn't authenticated.

This method provides a simple way for users to authenticate, but there are some issues to consider if you implement this factor:

  • Email isn't always transmitted using secure protocols; unauthorized third parties can intercept unencrypted messages. Consider assigning a shorter challenge lifetime to your email magic links and OTP codes to mitigate this risk.
  • Email messages may arrive in the user's spam or junk folder. Remind your users to check these folders if their email authentication message doesn't arrive.
  • Networking issues may delay email messages. If the email authentication message arrives after the challenge lifetime has expired, users must request another email authentication message.

You can also use email as a means of account recovery and set the expiration time for the security token.

Activate the Email Authentication factor

  1. In the Admin Console, go to SecurityMultifactor.
  2. On the Factor Types tab, click Email Authentication.
  3. Click Inactive, then select Activate.

Configure the Email Authentication factor

  1. In the Admin Console, go to SecurityMultifactor.
  2. On the Factor Types tab, click Email Authentication.
  3. Click Edit beside Email Authentication Settings.
  4. From the Email OTP token lifetime (minutes) dropdown, select the length of time you want the email magic link and OTP to be valid for.

    The default value is five minutes, but you can increase the value in five-minute increments, up to 30 minutes. The generally accepted best practice is 10 minutes or less. If an end user clicks an expired magic link, they must sign in again.

    In addition to emails used for authentication, this value is also applied to emails for self-service password resets and self-service account unlocking.

  1. Click Save.
  2. Click the Factor Enrollment tab. See Configure an MFA enrollment policy and follow the instructions for creating an MFA enrollment policy and adding an MFA enrollment policy rule.

When the Email Authentication factor is set to Required as an Eligible factor in the MFA enrollment policy, the end users specified in the policy are automatically enrolled in MFA using the primary email addresses listed in their user profiles.

Related topics

About multifactor authentication

MFA factor configuration

Multifactor Authentication

MFA enrollment policies

Configure an MFA enrollment policy