Email as an optional authenticator

Learn how email as an optional authenticator changes after the upgrade.

Change summary The Email authenticator is auto-enrolled for both authentication and recovery flows. This is a change from Classic Engine, where it's only available for authentication flows if the enrollment policy requires it.

Auto-enrollment occurs when a user verifies their primary email address or if you provide it when you create the user. This ensures that the user doesn't receive redundant email enrollment challenges if they already proved they own the email address (Self-Service Registration) or if they don't need to prove they own the email address (admin-created users).

Admin experience The Email factor must be set to Disabled or Required before you upgrade to Identity Engine. Then, in Identity Engine, choose the setting for the Email authenticator based on your use case:
  • Disabled: Okta recommends disabling the Email authenticator if the primary email accounts of your users are protected by Okta. Authentication emails are sent only to the primary email and not to the secondary email.
  • Required: Okta recommends requiring the Email authenticator for extended workforce use cases and Customer Identity and Access Management (CIAM) use cases. Validating the primary email is a common use case for these identities.

The default value for the Email authenticator is five minutes, but you can increase the value in five-minute increments, up to 30 minutes. The accepted best practice is 10 minutes or less. If an end user clicks an expired magic link, they must sign in again.

User experience Email is auto-enrolled as an authenticator. It appears as an authenticator if allowed by the policy, even when the user has enrolled in other optional authenticators.

Depending on how the user is created and who sets the password, the user may not be prompted to enroll in other optional authenticators when they first sign in.

Related topics Create an authenticator enrollment policy

About authenticator enrollment policies and rules