No policy set, but email OTP is still always required

I have tried to setup a zero trust access to a subdomain that allows only certain countries. However, when visiting the subdomain, I always get promted with the “Get a login code emailed to you” screen to receive a OTP via email.
I already tried to remove all policies, same results - I get promted to enter an email address.
I also tried to add a policy to allow everyone - I still get promted to enter an email address.

Is there some global setting that I’m missing that requires the email OTP to always be required, regardless of policies I actually set per application?


It’s just how allow policies work, they require the user to go through an identity provider, and then match the conditions of the rule, to get access.

If you want them to not have to use an identity provider, you’d want Service Auth action, which allows you to go through the normal access flow but without an identity, or Bypass, which goes back to normal zone security rules on match:

Generally what you are trying to do would be more of a firewall/custom rule in WAF than a Zero Trust Access Policy, “Country” “not in” (select countries) → block.

It’s worth noting as well that Country data is based on IP Geolocation data which isn’t always true or accurate, or even if it is, it might just be someone using a VPN. It’s not very “Zero Trust”

1 Like