Email as an optional authenticator
Learn how email as an optional authenticator works after the upgrade.
|The email authenticator is auto-enrolled for both authentication and recovery flows. This is a change from Classic Engine, where it's only available for authentication flows if the enrollment policy requires it.
Auto-enrollment ensures that the user doesn't receive redundant email enrollment challenges in the following scenarios:
|The email factor must be set to Disabled or Required before you upgrade to Identity Engine. Then, in Identity Engine, choose the setting for the email authenticator based on your use case:
If you want to keep email as an Optional factor, see Skip auto-enrolling email authenticator.
The default value for the email authenticator is five minutes, but you can increase the value in five-minute increments, up to 30 minutes. The accepted best practice is 10 minutes or less. If an end user clicks an expired magic link, they must sign in again.
|Email is auto-enrolled as an authenticator except when it's an optional authenticator. It may appear as an authenticator if other policies allow it, even when the user has enrolled in other required authenticators.
Depending on how the user is created and who sets the password, the user may not be prompted to enroll in other optional authenticators when they first sign in.
|Create an authenticator enrollment policy