OTP Validity Received by Email vs OTP Validity Received by SMS
Nov 4, 2025
Okta Classic Engine
Okta Identity Engine
Multi-Factor Authentication
Overview
This article explains the behavior of the email factor in comparison to the SMS 6-digit passcode.
Applies To
- Security
- Multi-Factor Authentication (MFA)
- One Time Password (OTP)
Solution
Since Okta is sending the MFA email directly, the token is valid for 5 minutes or less (if another code is generated) by default. The lifetime can be increased in 5-minute increments up to 30 minutes in the email factor settings. The generally accepted best practice is 10 minutes or less.
When the code is sent through SMS, a 3rd party provider will be used. The token validity depends on the Version of Okta running on that tenant. Please see below:
- Okta Classic: The token will be valid for 5 minutes, even if a new code has been generated. Each token will be valid for 5 minutes.
- Okta Identity Engine: The token will be valid for 5 minutes. If a token is resent, the first token will be immediately invalid, and only the new token will be valid for 5 minutes.
For SMS the OTP is valid for five minutes, this hard-coded and cannot be changed.
