Auth0 Home Blog Docs

Mimecast triggering Passwordless OTP before getting to inbox

We have been using the email-based passwordless auth for several months, and it has worked extremely well. However recently some of our customers have switched to using Mimecast for email security. One of the features of the Mimecast service is that it tests all the links in an email for malware.

End result is that the Mimecast service is triggering the OTP link in the Auth0 email, before it reaches the customer’s inbox… and therefore guaranteeing an authentication error.

Has anyone else run into this? What work arounds have people found?

Hey there @Joe-FS!

First time hearing about that! Just added mimecast tag to your questions for better searchability in case someone had similar issue

1 Like

I think it is possible to set policy in Mimecast to avoid the check.
https://community.mimecast.com/s/article/Configuring-Permitted-Senders-Policies-1067720131

1 Like

Thanks for the suggestion Tanver. Unfortunately that specific workaround is only to bypass the spam assessment, but it does provide a useful route of investigation.

1 Like

Keeping this topic open in case someone faced similar problem

After a day of work, we have found there isn’t an optimal solution for this issue that preserves the frictionless experience of email-magic links. Essentially, if your customers use Mimecast or similar URL inspection services, you will have to decide to ether:

  • Switch to using passwordless OTP codes
  • Ask your customer to work through whitelisting messages from your service

Both approaches increase login friction. We have decided to implement a variation of OTP codes. We plan to create 2 tenants - one using passwordless OTP codes & one using passwordless links. We will onboard our customers to both tenants, so they can choose which to use. However, we default to passwordless links as it has lower friction. We’re working on the detection method to spot this kind of issue & the UX to guide our customers to the most reliable solution for them. But ultimately it is a business decision to spend $0.03 more per customer per month to prevent them from needing to change their security appliances in order to fit our needs.

Thanks for sharing it with the rest of community!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.