Is It a Recommended/Best Practice to Use Email as a Component in Two Factor Authentication?

Problem scenario
You want to implement a secure protocol for authentication. You want there to be a password and a second factor of authentication. Can an email (being in possession of an inbox) be a factor in MFA?

Answer
Maybe.

No, according to NIST:
https://pages.nist.gov/800-63-FAQ/

But many companies do use email as a factor in multi-factor authentication.

(This is about setting up email in general. It does not pertain to a specific vendor's implementation of email.)

Leave a comment

Your email address will not be published. Required fields are marked *