Email authentication (MFA)

End users receive a one-time password (OTP) code in an email message to enter during Okta sign in.

Configure Email for MFA

To use email as an MFA factor, select Email Authentication in the Factor Types tab and then select Activate.

Activate an authentication factor

  • After activating email as a factor, configure its usage and authentication details in one or more policies under the Factor Enrollment tab.
  • Factor policy configuration is described generally under Multifactor Policies. When Email is set to Required as an Effective factor, end users specified in the policy are automatically enrolled in MFA using the primary email addresses in their user profiles.
Important Note


  • Okta Mobile Android currently does not support email as an MFA factor.
  • When you activate email as a Factor Type, the default OTP lifetime is 5 minutes. You can increase the lifetime in 5-minute increments up to 30 minutes in the email factor settings. The generally accepted best practice is 10 minutes or less.
  • Using email as a factor is not always a best practice for several reasons, including the following:
    • Email can be compromised by third parties.
    • Email is not always transmitted over secure protocols.
    • Email can also be used, depending on the recovery flow, for primary credential recovery.
    • Email can land in spam folders or be delayed by networking issues.
  • You can also use email as a means of account recovery and set the expiration time for the security token. See © 2021 Okta, Inc. All Rights Reserved. Various trademarks held by their respective owners.