In the Email OTP authentication method, the server sends an email with a one-time password (OTP) to the user's e-mail address. The user must specify the OTP on the device where the user needs to get authenticated. It is a best practice to use the Email OTP authentication method with other methods such as Password or LDAP Password to achieve multi-factor authentication and to prohibit malicious users from sending SPAM mails to a user's email box with authentication requests.
To configure the Email OTP method, specify the following details:
|
Parameter |
Description |
|---|---|
|
OTP period |
Lifetime of an OTP token in seconds. The default OTP period is 120 seconds. Maximum value for the OTP period is 360 seconds. |
|
OTP format |
Length of an OTP token. The default value is 6 digits. |
|
Subject |
Subject of the mail. |
|
Format |
Format of an email message. The default format is Plain Text. The HTML format allows to use embedded images. You can specify an HTML format of the message in HTML. |
|
Body |
For the Plain Text format, you can specify the following variables:
|
|
Allow re-sending after (seconds) |
The duration from previous OTP to re-send a fresh OTP for authentication. |
|
Allow overriding email address |
Option that allows to prevent users from providing an email address that is not registered in the LDAP repository. The option is set to ON by default. Set to OFF to prevent users to specify a different email address during the enrollment. |
|
Verify email address |
This option sends the verification code to a specified email address and allows users to validate the email address during the manual enrollment. The option is set to OFF by default. Set this option to ON to permit users to check whether the enrolled email address is valid. |
|
Allow user enrollment without e-mail |
Option to configure settings for the user to enroll the Email OTP authenticator without an email in the repository. Set this option to OFF to ensure that a user does not enroll the Email OTP authenticator without an email. The user gets an error message that you can specify in Error message. Set this option to ON to allow the user to enroll the Email OTP authenticator without an email. |
|
Allow as first authentication method |
Option that allows a user to authenticate using a chain where Email OTP authenticator is the first authentication method. The option is set to ON by default. Set this option to OFF to prevent user from authenticating using a chain where Email OTP authenticator is the first authentication method. If the option is set to OFF, and a user tries to authenticate using a chain where the Email OTP method is the first authentication method, the user is displayed a The method cannot be first in the login chain message and the user cannot authenticate. |
NOTE:After you configure the Email OTP method, it is required to configure the Mail Sender policy to deliver the Email OTP to users.