Add MFA with Email OTP

Email OTP is a One-Time Password (OTP) sent to the user's verified email address, which the user must submit during login (as an additional authentication step). This password is typically valid for a very short period of time.

During Email OTP authentication, the user is required to access the verified email account within a short time span to get the OTP. This prevents unauthorized users from accessing the OTP, and thereby adds an extra layer of security to the authentication process.

Follow the instructions given below to configure Multi-Factor Authentication (MFA) using Email OTP in Asgardeo.

Prerequisites

To get started, you need to register an application with Asgardeo. You can register your own application or use one of the sample applications provided.

Info

• You can use Email OTP for multi-factor authentication only if a previous authentication step is configured with username and password or another factor that can validate user credentials.

Set up Email OTP

Asgardeo has some default settings for email OTP, which are sufficient for most cases. If required, you can change the default settings as explained below.

To update the default Email OTP settings:

1. On the Asgardeo Console (opens new window), go to Connections and select Email OTP.

2. Update the following parameters in the Settings tab:

   

   Email OTP expiry time	Specifies the expiry time of the OTP. The generated OTP will not be valid after this expiry time.
   Use alphanumeric characters for OTP	Specifies whether to use alphanumeric characters in the OTP. If this is selected, the generated OTP will contain alphanumeric characters. If this option is not selected, the OTP will only contain digits (0-9).
   Email OTP length	Specifies the number of characters allowed in the OTP.

3. Once you update the Email OTP settings, click Update.

Enable Email OTP for an app

To enable Email OTP for MFA, you need to add Email OTP in the authentication flow of the application.

Follow the steps given below.

1. On the Asgardeo Console, go to Applications.

2. Select the application to which you wish to add Email OTP.

3. Go to the Login Flow tab of the application and add the Email OTP authenticator from your preferred editor:

   Using the Classic Editor

   • If you don't have a customized login flow, you can click Add Email OTP as a second factor.

     

     This opens the customized login flow with Email OTP as a second-factor authenticator:

   • If you have an already customized login flow, you can add a second step and add email OTP as the authenticator.

     
   Using the Visual Editor

   To add Email OTP as a second-factor authenticator using the Visual Editor:

   1. Switch to the Visual Editor tab and go to Predefined Flows > Basic Flows > Add Multi-factor login.

   2. Select Username + Password -> Email OTP.

   3. Click Confirm to add Email OTP as a second factor to the sign-in flow.

   

   Enable backup codes

   Once the Email OTP authenticator is added, select Enable backup codes. This allows users to use their backup codes to log in to the application when they cannot obtain the required MFA codes.

   • Using the Classic Editor

   • Using the Visual Editor

   Learn more about configuring backup codes for business users.

4. Click Update to save your changes.

How it works

When Email OTP is enabled for the organization and added to the login flow of your application, the user is prompted to enter an Email OTP after the preceding authentication steps are complete.

Given below are the steps involving Email OTP.

1. Asgardeo sends the OTP to the user's registered email address.

2. Asgardeo prompts the user to enter the OTP code.

   

3. The user can request Asgardeo to resend a new OTP. The new OTP invalidates the previously sent OTP.

4. The user enters the OTP and clicks Continue.

5. On successful authentication, the user can access the application.