<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z0000888rEQCAYOkta Identity EngineMulti-Factor AuthenticationAnswered2024-04-16T12:57:00.000Z2022-09-23T03:11:07.000Z2022-09-23T23:45:59.000Z

ug2d5 (ug2d5) asked a question.

September 23, 2022 at 3:11 AM
Disabling "Email Verification" as an alternative to Password

Hi all, not sure if anyone has seen or dealt with this before.

 

We recently performed the upgrade to OIE, and noticed something that wasn't mentioned in the documentation or "list of changes" from Classic to OIE.

 

We require Email MFA to be used for certain users who do not have a mobile phone.

 

After the upgrade, we have noticed that when logging in from a new browser, any/all users are prompted to "verify" with either email or password. It appears to allow the user to use an email magic link in place of their password.

 

The behaviour/flow looks like this:

 

1 Navigate to the Okta Sign On page from a new browser/incognito:

Image is not available

2 Click Next

3 User is asked to use either Email or Password to Verify

Image is not available

4 Once either option is satisfied, the user is prompted for any MFA required, e.g. Okta Verify push notification.

 

Note, this is different to "Email MFA", this is specifically allowing email to be used in place of the password.

 

I'm wondering if anyone knows how this can be disabled, and password can be set as the only option, like how it used to be.

Unfortunately, this option to use either email or password shows for all users, even if Email MFA is set to "Disabled" under the authenticator enrollment policies.

 

In the Authenticators page, email is set to allow for Authentication+Recovery, and in my testing, setting it to Recovery-only fixes this. However, it also removes the option for email to be used as MFA, meaning a subset of users can't log in at all because they have no valid MFA configured...

 

We need the sign on screen to only use email + password, as we will otherwise need to train users to ignore the email option and select password.

 

Has anyone seen or dealt with this before?

  • 2 answers
  • 1.64K views

  • ug2d5 (ug2d5)

    I created a case with Okta, and they found what was causing this flow to occur.

    For anyone else who finds this, it is caused by a feature called "User Enumeration Prevention".

     

    You can read about it here:

    https://help.okta.com/oie/en-us/Content/Topics/Security/Security_General.htm

     

    To disable it:

    1. In the Admin Console, go to Security > General.
    2. In the User Enumeration Prevention section, click Edit.
    3. Select the Disabled option from the User enumeration prevention dropdown list.
    4. Click Save.

     

    Once this is disabled, you should no longer be asked to choose between password or email for a login from a new device.

     

    I also tested with an additional sandbox environment by removing all app authentication policies except ones that asked for only password, and unfortunately it still asked for email and password. The issue only resolved once User Enumeration Prevention was disabled.

    Expand Post
    Selected as Best

  • paul.stiniguta1.508386743840768E12 (Okta, Inc.)

    Hello @ug2d5 (ug2d5)​ Thank you for reacting out to our Community!

     

    This issue should be fixed when setting up a sign on policy and rule for the required subset of users that need to use email and for them to have a different login flow.

    The policy's are a bit different in OIE then Classic, please see the OIE doc for additional guidance:

    https://help.okta.com/oie/en-us/Content/Topics/identity-engine/policies/about-policies.htm

     

    The Okta Community Catalysts Program is now live. Collect online badges when you participate in the Okta Help Center Questions community. Learn more here.

    Expand Post

  • ug2d5 (ug2d5)

    I created a case with Okta, and they found what was causing this flow to occur.

    For anyone else who finds this, it is caused by a feature called "User Enumeration Prevention".

     

    You can read about it here:

    https://help.okta.com/oie/en-us/Content/Topics/Security/Security_General.htm

     

    To disable it:

    1. In the Admin Console, go to Security > General.
    2. In the User Enumeration Prevention section, click Edit.
    3. Select the Disabled option from the User enumeration prevention dropdown list.
    4. Click Save.

     

    Once this is disabled, you should no longer be asked to choose between password or email for a login from a new device.

     

    I also tested with an additional sandbox environment by removing all app authentication policies except ones that asked for only password, and unfortunately it still asked for email and password. The issue only resolved once User Enumeration Prevention was disabled.

    Expand Post
    Selected as Best
This question is closed.
Loading
Disabling "Email Verification" as an alternative to Password