One-Time PIN - No Email

If I add more than 1 email address in the “Require” “Emails” field below I will not receive the “One-Time PIN” email. Screenshot below of the page I’m referring to. With just 1 email in that emails field I do get the emails.

Hi Matt,

Access rules ultimately wind up being converted to regex and the way this rule is written it basically says login = OTP AND (email = [email protected] AND [email protected]) which is not possible since a user’s email can’t be 2 different emails at the same time. As such the criteria for successful login isn’t met and the email isn’t sent.

In your Access policy you can select OTP as the only authentication mechanism (assuming that’s what you want) and then simply Include ‘emails’ [email protected], [email protected]). In the include they would be evaluated as an or operator.

Zero Trust policies · Cloudflare for Teams documentation

Did you configure the email adress correctly (put in your email adress correctly)? You may want to check for any typo’s in the email such as unnecessary spaces, dots, mistyped words and make sure the domain is correct! May I ask, does your email receive any mail at all or does it all fail?

Thank you for your reply. That makes sense, but when I made the change I now have the reverse problem. In the screenshot below I have 2 emails added and I get the OTP to both accounts. However, when I went to test an email that is not included I still received an OTP code.

Now you’ve got a logical OR operator Login method = OTP (with no constraint) or emails email A OR email B.

Remove the One Time Pin from this rule and instead configure it as the authentication mechanism on the Authentication Tab.

Normally including an Authentication mechanism (such as my configured Okta provider) is a simple way to include any user who can authenticate against my Okta instance (since I control the users in my Okta tenant) but in the case of OTP what that as a standalone include translates to is anyone with a valid email address who receives a OTP.

I don’t see any config options under “Authentication” (Don’t think I want the “Instant Auth”) checked. “Select All” doesn’t do anything.

You only have one authentication method and it’s selected. So there’s no need to include it in the rule itself it’s the authentication method that will be available. You just need the emails - email a and email b.

With this setup I still get OTP emails to any email address

Have you confirmed the address you entered got a OTP? Because the UX is the same whether the account is valid or not.

Yes I have. I have 2 email addresses listed in the policy shown in the screenshot above, both those work as expected. When navigating to the web page and I enter in another address that is not listed in the policy I do get the OTD email and the code works. This is not expected.

You now have 2 rules. One which says anyone with a OTP and another which says ‘these 2 users’ with a OTP. Delete the “Login Method OTP” rule. if you don’t want anyone with a valid email to be able to log in.

I thought that had already been deleted. I think we are in business now. Doing some final testing and will mark as resolved if all goes well. Thank you!

doh

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.