The Email Authenticator adds a factor of email to an authentication chain. It can be used standalone, but in most cases it makes more sense to use it as a second or third factor in an authentication flow, or as an additional factor in a registration flow.

The Email Authenticator sends a hyperlink to the user which verifies it is the owner of the email address by clicking the link.

Base Configuration

The Authenticator base configuration is found in the general section Authenticator Base Configuration.

Using as standalone factor (single factor)

In some cases one wants to use email as a single factor. In such cases the Email Authenticator will start by asking the user for its username.


Fig. 70 Email authenticator - Enter username

If the username doesn’t exist or the user doesn’t have a registered email address an error message is displayed. Once the username and email address has been established, the flow continues the same way as the others described below.

Using as second or N-th factor

The most common case is to use the Email Authenticator as a factor in a multi factor authentication setup. Commonly after a first factor which authenticates the user by a username (which could also be an email address) and a password. The Email Authenticator will then bypass the step of collecting the username again, and will use the username it gets from the SSO session already established by the previous factor.

See Multi-factor configuration for Authentication for how to configure a multi factor authentication chain.


The general authenticator config is described under Authenticator Base Configuration. This section describes the additional parameters that are available for the Email Authenticator.


The Email Authenticator is located in the configuration at /profiles/profile{id type}/settings/authentication-service/authenticators/authenticator{id}/email

The available parameters for the Email Authenticator are

class email
account-manager-id(ref, mandatory)

A reference to an account manager in the profile. This account manager must have a data-store configured for Registration to be possible. Otherwise the authenticator will operate in authentication mode only.

hyperlink-time-to-live(integer, default 120)

The time (in seconds) the hyperlink sent out will be valid for authentication.

max-challenges-sent(integer between 0 and 100, default 3)

The maximum number of Email-challenges that is allowed to be sent during one session. When this value is set to 0, there is no maximum attempts enforced.

max-allowed-attempts(integer between 0 and 100, default 3)

This setting restricts how many attempts a user can do to verify a link within a session. If the limit is reached, an error verify.error.too-many-attempts will be shown. Setting this to 0, allows for unlimited attempts.


The Email Authenticator requires an email provider to be configured on the profile. (Base Configuration of an Authentication Service Profile)


<authenticator xmlns="">