Email OTP Authentication#
Overview#
The Email OTP Authentication feature provides a secure and versatile method for accessing and recovering accounts. By sending a one-time password (OTP) to the user’s verified email, this feature ensures that only users with access to the registered email account can authenticate their identity.
Email OTP can be used for:
Logging into an account when other authentication methods, such as Passkeys, are unavailable.
Recovering access to an account in case of lost credentials.
How It Works#
Requesting an OTP#
When a user initiates the Email OTP Authentication process, a one-time password is sent to their verified email address. This step confirms that the user has access to the registered email account.
Verifying the OTP#
The user provides the OTP they received via email to complete the authentication process. Upon successful verification, a session is created, granting the user access to their account.
Considerations#
Preconditions: Email OTP Authentication requires that the user’s email address is verified before the process can be initiated.
Passkey Dependency: In some configurations, Email OTP Authentication may require a previously set up Passkey for additional security.
Security: OTPs are time-sensitive and must be used within their validity period to prevent unauthorized access.
Settings#
The following settings can be configured for the Email OTP Authentication feature via the API settings:
Email OTP Authentication Requires Verified Email: Ensures that the user’s email address must be verified before an OTP code can be requested.
Email OTP Authentication Requires Passkey Setup: Requires the user account to have at least one Passkey device set up before requesting an OTP code.
Email OTP Authentication Verify Timeout: Sets the duration (in seconds) within which the user must complete the OTP verification process. Default: 300 seconds.