How long are Email MFA Codes valid for

Problem Statement

If a user triggers email MFA, how long do they have to enter the code sent via email?


Email MFA codes follow the MFA transaction lifetime, which means they are valid for 5 minutes.

This is how it works:

  • The email expires after 5 minutes. If you enter after 5 minutes, it tells you the code is invalid.
  • You can resend the email from that same screen can try again with the new code.
  • After 10 minutes, the login transaction expires. When the user enters their code, they’d be redirected to the Application Login URI. Given there’s already a session, the user will land again in the MFA page where they’ll get another email sent, and the process starts again.