In the Email OTP authentication method, the server sends an email with a one-time password (OTP) to the user's e-mail address. The user must specify the OTP on the device where the user needs to get authenticated. It is a best practice to use the Email OTP authentication method with other methods such as Password or LDAP Password to achieve multi-factor authentication and to prohibit malicious users from sending SPAM mails to a user's email box with authentication requests.
To configure the Email OTP method, specify the following details:
|
Parameter |
Description |
|---|---|
|
OTP period |
Lifetime of an OTP token in seconds. The default OTP period is 120 seconds. Maximum value for the OTP period is 360 seconds. NOTE:From Advanced Authentication 6.3 Service Pack 6, the maximum value for the OTP period is 86400 seconds (1 day). |
|
OTP format |
Length of an OTP token. The default value is 6 digits. |
|
Subject |
Subject of the mail. |
|
Format |
Format of an email message. The default format is Plain Text. The HTML format allows to use embedded images. You can specify an HTML format of the message in HTML. |
|
Body |
For the Plain Text format, you can specify the following variables:
|
|
Allow re-sending after (seconds) |
The duration from previous OTP to re-send a fresh OTP for authentication. |
|
Allow overriding email address |
Option that allows to prevent users from providing an email address that is not registered in the LDAP repository. The option is set to ON by default. Set to OFF to prevent users to specify a different email address during the enrollment. |
|
Verify email address |
This option sends the verification code to a specified email address and allows users to validate the email address during the manual enrollment. The option is set to OFF by default. Set this option to ON to permit users to check whether the enrolled email address is valid. |
|
Allow user enrollment without e-mail |
Option to configure settings for the user to enroll the Email OTP authenticator without an email in the repository. Set this option to OFF to ensure that a user does not enroll the Email OTP authenticator without an email. The user gets an error message that you can specify in Error message. Set this option to ON to allow the user to enroll the Email OTP authenticator without an email. |
|
Allow as first authentication method |
Option that allows a user to authenticate using a chain where Email OTP authenticator is the first authentication method. The option is set to ON by default. Set this option to OFF to prevent user from authenticating using a chain where Email OTP authenticator is the first authentication method. If the option is set to OFF, and a user tries to authenticate using a chain where the Email OTP method is the first authentication method, the user is displayed a The method cannot be first in the login chain message and the user cannot authenticate. |
You can customize the email settings for a specific event in the Event Customization tab. An email with OTP is delivered to users based on the settings configured for each event.
To customize the Email Settings to a specific event, perform the following steps:
Navigate to Methods > Email OTP > Event Customization in the Administration portal.
Click Add Custom Event icon +.
Select a preferred event from the list.
Modify the email settings for the event as per the requirement.
(Conditional) If you want to customize the method name for the event, expand Custom names and specify the method name in required language field.
Click Save.
For example, let us assume an organization’s requirement is to customize the email settings for Windows logon event as follows:
|
Parameter |
Value |
|---|---|
|
OTP period |
180 seconds |
|
OTP format |
8 digits |
|
Subject of email |
OTP for authentication |
|
Body |
Hi {username}Your one-time-password to authenticate to the Windows workstation is {otp}.Thanks, Support team |
Following are the steps to customize the email settings for Windows logon event according to the preceding requirement:
Click Methods > Email OTP > Event Customization in the Administration portal.
Click Add Custom Event icon.
Select Windows logon event from the list.
Modify the settings as per the above table.
Click Save.
With the above configuration, when an end-user tries to log in to Windows workstation with the Email OTP method, 8 digits OTP is sent to registered email address and the OTP is valid for 3 minutes (180 seconds).