Skip to main content

Email OTP

SecureAuth Connect Email OTP delivers one-time password (OTP) verification codes to users by email, using the built-in SecureAuth SMTP server or your organization's custom SMTP provider. When a user selects Email OTP during authentication, SecureAuth Connect sends an email containing the verification code to their registered email address.

Use cases

Email OTP fits when you need a factor that works on any device with an email client.

  • Universal reach: Every user has an email address. No phone number, mobile app, or hardware key required.
  • First-factor authentication: Email OTP can serve as a primary sign-in method, not just a second factor. Users enter their email, receive a code, and sign in without a password.
  • Account recovery: Use Email OTP as a fallback when a user loses access to their phone or authenticator app.
  • Low-friction onboarding: New users can authenticate immediately with the email address they registered with, before setting up stronger methods like passkeys or TOTP.

Email OTP is not the best fit when delivery speed is critical (email can be delayed by spam filters or server queues), or when users access email on shared or public devices where messages could be read by others.

How Email OTP delivery works

When a user selects email as their OTP delivery method, SecureAuth Connect sends an email to the user's registered email address. The email contains the OTP code. The user enters the code on the verification screen in their browser.

By default, SecureAuth Connect sends OTP emails through the built-in SecureAuth SMTP server. You can replace this with your organization's SMTP server to control deliverability, sender branding, and compliance with your email policies.

Prerequisites

  • Tenant administrator access
  • For custom SMTP: your SMTP server credentials (hostname, port, username, password)

Set up a custom SMTP provider (optional)

The built-in SecureAuth SMTP server works without configuration. Follow these steps only if you want to use your own SMTP server.

  1. Go to Tenant Settings > Message Providers.

  2. Select the Emails tab.

  3. Select Custom SMTP as the provider.

    Custom SMTP configuration

  4. Enter the required SMTP settings:

    SettingDescription
    SMTP Auth MechanismSelect Plain, CRAM-MD5, or LOGIN based on your server configuration.
    SMTP HostYour SMTP server hostname or IP address.
    SMTP PortThe port number: 587 (TLS), 465 (SSL), 25 (standard), or 2525 (alternative).
    UsernameThe SMTP service account username.
    PasswordThe SMTP service account password.
    Sender Friendly NameThe display name that appears in the From field for recipients.

  5. Click Save.

Test your configuration

Use the built-in test option to verify email delivery:

  1. Go to the Send test message section.

  2. Enter a test email address.

  3. Click Send. You should receive an email containing a test OTP code. Verify that the email arrives and the code displays correctly.

Set code length and lifetime

These are tenant settings and apply to all workspaces.

  1. Go to Tenant Settings > MFA Settings.

    Configure email verification code length and lifetime

  2. Enable Send to Email.

  3. Configure the verification code settings:

    SettingDescription
    Verification Code LengthThe number of digits in the code (for example, 6).
    Verification Code LifetimeHow long the code remains valid (for example, 5 minutes).

  4. Click Save.

Enable Email OTP as an authentication method

After configuring the email provider (or using the default), enable Email OTP as an authentication method:

  1. In your workspace, go to Authentication > Settings.

  2. Select the Methods tab.

  3. Select the Email OTP check box.

    Allowed Authentication methods page showing available methods

  4. Click Save.

Add Email OTP as a sign-in method

Add Email OTP as a first-factor or second-factor authentication method for your users.

  1. Go to Users > Sign-in and Sign-up.

  2. Under First-Factor Authentication Methods or Second-Factor Authentication Methods, click + Add method and select Email OTP.

  3. (Optional) To make Email OTP the preferred method shown at sign-in, click the three-dot menu and select Make Preferred. Only one method can be preferred per identity pool.

    Identity pool Sign-in and Sign-up tab showing OTP methods as first-factor authentication

  4. Click Save.

OTP rate limiting

SecureAuth Connect enforces rate limits on OTP send requests to prevent abuse. If a user or API client exceeds the allowed number of OTP requests within a time window, subsequent requests are temporarily blocked.

See also