Users attempting to authenticate with a custom identifier (for example, taxIdentifier) receive the error mentioned below, even though the attribute is correctly configured as a login alias in Okta Identity Engine (OIE). Authentication only succeeds when the primary email/username is used.

E0000004 (Authentication Failed)

• Okta Identity Engine (OIE)
• Okta Classic Engine
• Custom Attributes (Tax ID, Employee Number, etc.)
• Applications using the Legacy Authentication API (/api/v1/authn)
• Multiple Identifiers feature

The /api/v1/authn endpoint is a Classic Engine legacy API. It is architecturally limited to validating credentials against the primary login field (Username) only. It does not support the "Multiple Identifiers" policy logic found in OIE, meaning it cannot "look up" a user profile based on custom attributes, even if those attributes are marked as unique login aliases in the Admin Console.

To resolve the issue, follow one of the options mentioned below:

Option 1: Migrate to IDX API

Update the application integration to use the IDX API or Okta Identity Engine SDKs. Unlike the legacy API, the IDX flow uses a "remediation-based" approach that checks the identifier against all allowed attributes defined in the Profile Enrollment Policy before requesting a password.

• Endpoint change: Transition from /api/v1/authn to the /oauth2/v1/interact flow.
• SDKs: Use the Okta Auth JS SDK (v5.0+) or language-specific OIE SDKs.

Option 2: Matching the primary login to a custom identifier

If migrating to IDX is not immediately possible, the user's primary login attribute in Okta must be changed to match the custom identifier (for example, setting the user's login to their Tax ID). However, this may impact other integrations that rely on email as the primary key.