Email as an optional authenticator

After you upgrade to Identity Engine, learn about the changes to email as an optional authenticator.

Change summary
  • Classic Engine: Email is auto-enrolled for recovery flows but is available in authentication policies only if the authenticator enrollment policy requires it.
  • Identity Engine: The email authenticator is auto-enrolled for both authentication and recovery flows when a user verifies their primary email address or if you provide it during user creation. This ensures that the user doesn't receive redundant email enrollment challenges if they already proved they own the email address self-service registration) or if they don't need to prove they own the email address (admin-created users).
Admin experience

You can choose the ideal setting for the email authenticator based on your usecase:

  • Disabled: Okta recommends disabling email as an authenticator if the primary email accounts of your users are protected by Okta. Authentication emails are sent only to the primary email and not secondary email.
  • Required: Okta recommends requiring email as authenticator for extended workforce use-cases and Customer Identity and Access Management (CIAM) use-cases. Validating the primary email is a common use-case for these identities.
User experience

Email is auto-enrolled as an authenticator. It appears as an authenticator if allowed by the policy, even when the user has enrolled in other optional authenticators.

Depending on how the user is created and who sets the password, the user may not be prompted to enroll in other optional authenticators when they first sign in.

Related topics

Create an authentication enrollment policy

About authentication enrollment policies and rules