Configure the email authenticator

The email authenticator is a possession factor and fulfills the requirements for user presence. It allows users to authenticate with an One-Time Passcode (OTP) or email magic link (EML)that is sent to their primary email address. The user's ability to access the email verifies that the person making the sign-in attempt is the intended user.

The user’s primary email address is automatically enrolled as an authenticator for authentication and recovery in the following scenarios:

The user verifies that they own the email (for example, during Self-Service Registration).
The user isn’t required to prove that they own the email (for example, when the admin creates the user account).

You can skip auto-enrolling the email authenticator. See Make email an optional authenticator.

Add the email authenticator

In the Admin Console, go to SecurityAuthenticators.
On the Setup tab, click Add Authenticator.
Click Add on the Email tile.
Configure the following options:
- Email challenge lifetime (minutes): The default value is 5 minutes. You can increase the amount in 5-minute intervals up to 30 minutes. Best practice is 10 minutes or less.
  
  Email isn't always transmitted through secure protocols. Unauthorized third parties can intercept unencrypted messages. Assigning a shorter challenge lifetime can minimize this risk.
- This authenticator can be used for:
  
  Authentication and recovery: Users can authenticate and recover their accounts with this authenticator.
  
  Recovery: Users can recover their account with this authenticator but they can’t authenticate with it.
Click Add. The authenticator appears in the list on the Setup tab.

Add email to authenticator enrollment policy

In Authenticators, go to the Enrollment tab to add the authenticator to a new or an existing authenticator enrollment policy. See Create an authenticator enrollment policy.

Edit or delete the email authenticator

Before you edit or delete the authenticator, you may have to update existing policies that use this authenticator.

In Authenticators, go to the Setup tab.
Open the Actions dropdown menu beside the authenticator, and then select Edit or Delete.

Configure Email Magic Links

When using email to prove their identity, a user can manually copy an OTP from an email into the application that they want to use or click an EML. When the user clicks the EML, it automatically submits the OTP on the user’s behalf. EML only work in the same browser on the same device.

To configure EML, see the developer docs:

End-user experience

Users can sign in, reset their password, or unlock their account with the email authenticator. When the user requests an email prompt, Okta sends an EML and an OTP to the user’s primary email address. Users can either click the EML or manually enter the OTP.

EMLs only work in the same browser on the same device. If the user opens the email in a different browser or on a different device, they must return to the original browser where they requested the email and manually enter the OTP.

The flow then continues in a new tab in the original browser. In the new tab, the user provides additional verification, if required. After the user is verified, they proceed to complete their task. The session in the original tab ends.

After a successful user verification, the user continues their journey:

If they're signing in to Okta, the browser opens their End-User Dashboard.
If they're signing in to an app through an embedded Sign-In Widget, they’re redirected to the location specified by the Email Verification Experience setting. See Configure settings for app integrations.
If they’re resetting their password, once the new password is set, they’re automatically signed into their account in the same tab using the new credentials.
If they’re unlocking their account, they're signed in to the application in the same tab.