How to configure email as a second factor for MFA with OIE and bypass the email access challenge

Question:

How can I enable email as a second factor for MFA with Okta Identity Engine (OIE) without interfering with the first time login experience?

I am using Okta in an AD controlled environment, where users are created in AD and synced to Okta. With the classic engine, users had to set up MFA (okta verify, Google Auth, SMS, email) when they signed in for the first time. With OIE, users are automatically sent an email code when they log in, which is supposed to make the login experience seamless. However, this creates a problem because accessing the email requires an MFA challenge. The only workaround I have found is to disable email as a second factor, but I want to keep it as an option for recovery purposes. I have tried various solutions suggested by support, but none of them worked. It seems like a design flaw that OIE does not consider the MFA requirement for email access. I want to allow users to enroll their MFA themselves without IT intervention, as it was possible with the classic engine. Is there a way to achieve this with OIE?

Answer:

How to use email as a second factor for MFA with Okta Identity Engine

Okta Identity Engine (OIE) is a new platform that enables you to customize and extend your identity and access management (IAM) experience. One of the features of OIE is the ability to provide a seamless first time login experience for your users, by automatically sending them an email code when they log in. However, this feature may cause some issues if you want to use email as a second factor for multi-factor authentication (MFA), especially if you have an Active Directory (AD) controlled environment.

If you are using Okta in an AD controlled environment, where users are created in AD and synced to Okta, you may encounter the following problem when you enable email as a second factor for MFA with OIE:

  • When a user signs in for the first time, they are automatically enrolled in email as a second factor, and an email code is sent to their email address.
  • However, in order to access their email, they need to pass an MFA challenge, which requires them to have another second factor set up, such as Okta Verify, Google Auth, SMS, or email.
  • If the user does not have another second factor set up, they will not be able to access their email, and therefore, they will not be able to enter the email code and complete the login process.
  • The only workaround for this problem is to disable email as a second factor, but this means that you will lose the option to use email for recovery purposes, such as resetting passwords or unlocking accounts.
  • This problem seems like a design flaw that OIE does not consider the MFA requirement for email access. It also contradicts the goal of providing a seamless first time login experience, as it creates a frustrating and confusing situation for the user. Moreover, it prevents you from allowing users to enroll their MFA themselves without IT intervention, as it was possible with the classic engine.

    The solution for using email as a second factor for MFA with OIE

    Fortunately, there is a way to use email as a second factor for MFA with OIE without interfering with the first time login experience. The solution involves the following steps:

  • Create a custom sign-in policy for your AD users, and assign it to the AD group that contains your users.
  • In the custom sign-in policy, configure the following settings:
  • Under Enrollment, select Optional for email as a second factor, and Required for at least one other second factor, such as Okta Verify, Google Auth, or SMS.
  • Under Authentication, select Permit for email as a second factor, and Deny for all other second factors.
  • In the OIE admin console, go to Security > Profile Enrollment, and enable the Skip optional enrollments option.
  • With this configuration, the following will happen:

  • When a user signs in for the first time, they will be prompted to set up at least one second factor, other than email, such as Okta Verify, Google Auth, or SMS.
  • After they set up their second factor, they will be able to access their email, and enter the email code that was sent to them automatically.
  • They will also have the option to enroll in email as a second factor later, by going to their profile settings and clicking on Set up next to email.
  • When they sign in again, they will be able to use email as a second factor, as well as the other second factor that they set up previously.
  • This solution allows you to use email as a second factor for MFA with OIE, without interfering with the first time login experience. It also enables you to keep email as an option for recovery purposes, and to allow users to enroll their MFA themselves without IT intervention. It also avoids the design flaw that OIE does not consider the MFA requirement for email access.

    Conclusion

    Okta

Identity Engine is a powerful platform that allows you to customize and extend your IAM experience. However, it also introduces some challenges, such as the problem of using email as a second factor for MFA with OIE. By following the solution described in this article, you can overcome this problem and use email as a second factor for MFA with OIE, without interfering with the first time login experience. This will improve the security and usability of your IAM system, and provide a better experience for your users.

Leave a Reply

Your email address will not be published. Required fields are marked *

Privacy Terms Contacts About Us