Configure the Email authenticator

The email authenticator allows users to authenticate themselves by clicking an email magic link or using a six-digit code as a one-time password (OTP). Okta sends these authentication methods in an email message to the user's primary email address to verify that the person making the sign-in attempt is the intended user. If the user doesn't click the email magic link or use the OTP within the challenge lifetime, the user authentication isn't processed.

This method provides a simple way for users to authenticate, but there are some issues to consider if you implement the email authenticator:

  • Email isn't always transmitted using secure protocols. Unauthorized third parties can intercept unencrypted messages. Consider assigning a shorter challenge lifetime to your email magic links and OTP codes to mitigate this risk.
  • Email messages may arrive in the user's spam or junk folder. Remind your users to check these folders if their email authentication message doesn't appear.
  • Networking issues may delay email messages. If the email authentication message arrives after the challenge lifetime has expired, users must request another email authentication message.

You can configure Okta to use this authenticator for just account recovery, or for both authentication and account recovery. If you choose only the recovery option, Okta doesn't request authentication during the evaluation of your Global Session Policy.

Add email as an authenticator

  1. In the Admin Console, go to Security > Authenticators.
  2. On the Setup tab, click Add Authenticator.
  3. Click Add on the Email tile.
  4. Optional. Change the default Email challenge lifetime (minutes).

    The default value is five minutes, but you can increase the value in five-minute increments, up to 30 minutes. The generally accepted best practice is 10 minutes or less. If an end user clicks an expired magic link, they must sign in again.

    In addition to emails used for authentication, this value is also applied to emails for self-service password resets and self-service account unlocking.

  1. Select the scenarios for which end users can use the email authenticator:
    • Authentication and recovery
    • Recovery
  2. Click Add.

End-user experience

When end users sign in, attempt to reset their password, or attempt to unlock their account, they receive an email message containing the email magic link and a one-time password (OTP) code.

  • For a sign-in attempt, if the user clicks the email magic link in the same browser and no subsequent factors are required, the user is signed in automatically through a newly opened tab in the same browser. The session in the original browser tab ends.

  • However, if the user receives or opens the email magic link on a different browser or device, they must return to the original browser and click Enter a code from the email instead. Then they can enter their OTP code to complete the verification process.

  • After the end user is verified, they are redirected to the destination configured for the application. If the end user was attempting to sign in to Okta, the browser opens their Okta End-User Dashboard. However, if the end user was signing in using an embedded deployment of the Sign-In Widget, they are redirected to the location specified by the Email Verification Experience setting. See Configure settings for app integrations.

  • For a password reset, clicking the link in the email sends the user to a new tab where Okta asks them to verify that they made the request. When they affirm the request, the flow ends in the original browser tab, and they can set a new password in the new tab. If the password meets the acceptance criteria, the end user clicks Back to sign in to return to the sign-in page. If the end user clicks Enter a code from the email instead, they can set a new password in the same tab, after which the sign-in action completes.

  • When unlocking an account, clicking the link in the email also sends the end user to a new tab for verification. After they affirm the request, the flow in the new browser tab ends, and they can click Back to sign in in the original browser tab. If the end user clicks Enter a code from the email instead, they enter the code in the original browser tab, after which the unlock action completes and they can click Back to sign in.

Limitations

  • Okta always sends the authentication email to the user's primary email address.
  • If the user has access to the Okta End-User Dashboard and the Okta End User Settings page, set the primary email address attribute in the user profile to be read-only. Any changes you make to a user's primary email address in their user profile will automatically enroll the user in a new email authenticator and sends any emails to their new address without additional confirmation.

Related topics

Configure the Password authenticator

Configure the Phone authenticator

Configure a WebAuthn (FIDO2) authenticator

Configure the Security Question authenticator