Email Authentication (MFA)

The Email Authentication factor allows users to authenticate using a six-digit code as a one-time password (OTP). Okta sends the OTP in an email message to the user's primary email address, which helps verify that the person making the sign-in attempt is the intended user. If the user doesn't use the OTP within the challenge lifetime, the user isn't authenticated.

This method provides a simple way for users to authenticate, but there are some issues to consider if you implement this factor:

  • Email isn't always transmitted using secure protocols; unauthorized third parties can intercept unencrypted messages. Consider assigning a shorter challenge lifetime to your OTP codes to mitigate this risk.
  • Email messages may arrive in the user's spam or junk folder. Remind your users to check these folders if their email authentication message doesn't arrive.
  • Networking issues may delay email messages. If the email authentication message arrives after the challenge lifetime has expired, users must request another email authentication message.

You can also use email as a means of account recovery and set the expiration time for the security token.

Activate the Email Authentication factor

  1. In the Admin Console, go to SecurityMultifactor.
  2. On the Factor Types tab, click Email Authentication.
  3. Click Inactive, then select Activate.

Configure the Email Authentication factor

  1. In the Admin Console, go to SecurityMultifactor.
  2. On the Factor Types tab, click Email Authentication.
  3. Click Edit beside Email Authentication Settings.
  4. From the Email OTP token lifetime (minutes) dropdown, select the length of time you want the OTP to be valid for.

    The default value is five minutes, but you can increase the value in five-minute increments, up to 30 minutes. The accepted best practice is 10 minutes or less.

    In addition to emails used for authentication, this value is also applied to emails for self-service password resets and self-service account unlocking.

  5. Click Save.
  6. Click the Factor Enrollment tab. See Configure an MFA enrollment policy and follow the instructions for creating an MFA enrollment policy and adding an MFA enrollment policy rule.

When the Email Authentication factor is set to Required as an Eligible factor in the MFA enrollment policy, the end users specified in the policy are automatically enrolled in MFA using the primary email addresses listed in their user profiles.

Related topics

About multifactor authentication

MFA factor configuration

Multifactor Authentication

MFA enrollment policies

Configure an MFA enrollment policy