This article describes how the email authenticator set up with different policies reflects on end-user experience. 

• Okta Identity Engine (OIE)
• Multi-Factor Authentication (MFA)
• Email Authenticator
• Password Policy
• Profile Enrollment Policy

Consider this scenario wherein:

• Email is set up for both Authentication and Recovery:
  Under Security > Authenticators > Setup > Email > Actions > Edit. 
   
  
  
• Email is set up under Authenticators to be "Optional":
  Under Security > Authenticators > Enrollment > under Rule, the Email is set to be "Optional".
   
• Email is not one of the Recovery Factors:
  Under Security > Authenticators > Password > Actions > Edit > scroll down to Rules > Edit > Recovery authenticators > Users can initiate recovery with.
  

• Email Verification is set to be disabled for "Required before access is granted":
  Under Security > Profile Enrollment > select the Profile Enrollment Policy / Rule > under Actions, click Edit > under Profile Enrollment, Email verification is disabled for Required before access is granted.
   

Login Flow:

1. When a new user signs up for the org.
    
2. An email verification message is not sent, and Email is listed as one of the optional authenticators for enrollment.
    
3. But if the end user signs up without enrolling in Email, then the end user's Settings page will have a message showing "Check the email sent to [Email Address] to confirm it as your primary email" under Account > Personal Information.
    
   

Related References

• Email Authenticator Disabled in Enrollment Policy