This article describes how email authenticator setup with different policies reflects on the end-user experience.

• Multi-Factor Authentication (MFA)
• Email Authenticator
• Okta Identity Engine (OIE)

Consider a scenario wherein: 

• An "Email" under Authenticators is enabled for both Authentication and Recovery.
  • Under Security > Authenticators > Setup > Email > under Actions, Edit > Used for Authentication and recovery.
     
    
    
• Email is disabled in the Enrollment Policy. 
  • Under Security > Authenticators > Enrollment > select the Policy/Rule > Email is Disabled.
     

• Email is one of the recovery authenticators in the Password Policy:
  • Under Security > Authenticators > Setup > Password > Actions > Edit > Scroll down to Rule > Edit Rule > under Recovery authenticators, Users can initiate recovery with > Email is enabled.
    
    
    
• Email verification is set as Required before access is granted:
  • Under Security > Profile Enrollment > select the Profile Enrollment Policy/Rule > under Actions, click Edit > under Profile Enrollment, Email verification is enabled for Required before access is granted.
     

Login Flow:

1. When a new user signs up for the Org
    
   
   
   
2. The next step is to immediately verify the email. 
    
3. Then, the user verifies the email.
    
4. This email ID is now valid and can be used for both authentication as well as recovery by the user.
5. Only optional authenticators will appear and will not list the "Email" as one of the authenticators because it is disabled in the enrollment policy. 
    
6. If an end user does not enroll any of these optional authenticators after they hit Continue, the end user will automatically sign in. 

Related References

• Email Authenticator Disabled In Password Policy and Profile Enrollment Policy