Email as an optional authenticator

Auto-enrollment ensures that the user doesn't receive redundant email enrollment challenges in the following scenarios:

• They already proved they own the email address (users created through Self-Service Registration).
• They don't need to prove they own the email address (admin-created users).

If you have a policy that requires email to be an Optional factor after the upgrade, see Skip auto-enrolling email authenticator.

Otherwise, the email factor must be set to Disabled or Required before you upgrade. See the Classic Engine documentation: Configure an MFA enrollment policy.

Then, in Identity Engine, choose the setting for the email authenticator based on your use case:

• Disabled: Recommended if the primary email accounts of your users are protected by Okta. Authentication emails are sent only to the primary email and not to the secondary email.
• Required: Recommended for extended workforce use cases and Customer Identity and Access Management (CIAM) use cases. Validating the primary email is a common use case for these identities.

The default value for the email authenticator is five minutes, but you can increase the value in five-minute increments, up to 30 minutes. The accepted best practice is 10 minutes or less. If an end user clicks an expired magic link, they must sign in again.

Depending on how the user is created and who sets the password, the user may not be prompted to enroll in other optional authenticators when they first sign in.