Skip to content

Add MFA with Email OTP

Email OTP is a One-Time Password (OTP) sent to the user's verified email address, which the user must submit during login (as an additional authentication step). This password is typically valid for a very short period.

During Email OTP authentication, the user is required to access the verified email account within a short time span to get the OTP. This prevents unauthorized users from accessing the OTP and thereby adds an extra layer of security to the authentication process.

Follow the instructions given below to configure Multi-Factor Authentication (MFA) using Email OTP in WSO2 Identity Server.



You can use Email OTP for multi-factor authentication only if a previous authentication step is configured with username and password or another factor that can validate user credentials.

Set up Email OTP

WSO2 Identity Server has some default settings for email OTP, which are sufficient for most cases. If required, you can change the default settings, as explained below.

To update the default Email OTP settings:

  1. On the WSO2 Identity Server Console, go to Connections and select Email OTP.
  2. Update the following parameters in the Settings tab:

    Setup email OTP in WSO2 Identity Server

    Field Description
    Email OTP expiry time Specifies the expiry time of the OTP. The generated OTP will not be valid after this expiry time.
    Use alphanumeric characters for OTP Specifies whether to use alphanumeric characters in the OTP. If not selected, the generated OTP contains only digits (0-9).
    Email OTP length Specifies the number of characters allowed in the OTP.
    3. Once you update the Email OTP settings, click Update.

Enable Email OTP for an app

To enable Email OTP for MFA, you need to add Email OTP in the authentication flow of the application.

Follow the steps given below.

  1. On the WSO2 Identity Server Console, go to Applications.

  2. Select the application to which you wish to add Email OTP.

  3. Go to the Login Flow tab of the application and add the Email OTP authenticator as follows:

    1. Go to Predefined Flows > Add Multi-factor Login.

    2. Select Username + Password -> Email OTP.

    3. Click Confirm to add passwordless login with email OTP to the sign-in flow.

      Configuring Email OTP authenticator in WSO2 Identity Server using the visual editor

    4. Select Enable backup codes if you wish to allow users to use backup codes to log in to the application. Learn more about configuring backup codes for users.

  4. Click Update to save your changes.

How it works

When Email OTP is enabled in the login flow of your application, the application user will be prompted with the email OTP authentication step once the first authentication step is completed. Given below are the high-level steps that follow:

  1. WSO2 Identity Server sends the OTP to the user's verified email address.
  2. WSO2 Identity Server prompts the user to enter the OTP code.

    Authenticate with email OTP in WSO2 Identity Server

  3. If required, the user can request WSO2 Identity Server to resend the OTP. The new OTP invalidates the previously sent OTP.

  4. The user enters the OTP and clicks Continue.
  5. If the authentication is successful, the user can access the application.