Email link expiration time

After you upgrade to Identity Engine, learn about the changes to the email link expiration time.

Change summary
  • Classic Engine: The default expiration time of email links used for self-service password resets, self-service account unlock, and multifactor authentication is one hour. You can configure their lifetime to last several days.

  • Identity Engine: The default expiration time is five minutes and it's configured as an authenticator. You can select expiry times in five-minute increments up to 30 minutes. This limit was set because user-initiated password recovery has the same security implications as authentication. When orgs upgrade, their email link expiration settings change to the default settings in Identity Engine.

Admin experience To configure the Email authenticator, go to Security > Authenticators > Add authenticator > Email.

The Email challenge lifetime (minutes) dropdown offers lifetimes from five minutes (the default) to 30 minutes, in five-minute increments.

User experience If you configure Email as an authenticator, users can sign in to the app using the magic link or one-time password (OTP) sent to their email address.
Related topics

Configure the Email authenticator

Sign in to resources protected by Okta