Email Authenticator is Not Prompted when User is Signing In
Oct 13, 2025
Multi-Factor Authentication
Okta Identity Engine
Overview
This article presents the troubleshooting steps to take when the Email authenticator is enabled as part of the two-factor authentication method, but the user is not prompted for it when signing in.
Applies To
- Okta Identity Engine (OIE)
- Multi-factor Authentication (MFA)
- E-mail authenticator
Cause
This issue may be encountered when the Email authenticator is set as Optional or when the authentication policy requires only a password.
Solution
- Log in to Admin Console and navigate to Security > Authenticators. The Setup tab should open, and the list of configured authenticators for the org should be available.
- Look for the Email authenticator and click on the Actions button related to it.
- From the dropdown menu, click on Edit. Make sure that the Authentication and recovery option is selected.
- The next step is to go to the Enrollment tab and look for the policy that is used for Authentication. Make sure that the Email authenticator for that policy is set to Required by clicking on the Edit button.
NOTE: If the Enrollment tab is missing, please check this article: Missing Enrollment Tab From Authenticators Section. If the enrollment tab is not available, this step can also be skipped.
- Navigate to Security > Authentication Policies and look for the policy that is hit by the end-user or by the group for which the issue was spotted. Make sure that the Exclude phone and email authenticators option is not selected, and, in the User must authenticate with section, the options selected are compatible with possession factors.
