Email Two-Factor Authentication

Email two-factor authentication (2FA) sends a one-time pin code to a user's email address after they enter their username and password. The user must enter that code on the Enter Email Pin screen to complete sign-in. This topic covers how an administrator enables email 2FA, the end-user experience, lockout behavior, and audit events.

Prerequisite: A working email send method must be configured in Secret Server. See Email Configuration.

Prerequisites

  • A configured email send method. See Email Configuration.

  • Each user enrolling in email 2FA must have a valid email address on their user record. For Active Directory users the address is synced from the domain account; for local users it is set on the user's General tab. See User Settings.

Enabling Email 2FA

Email 2FA can be enabled at user creation or on an existing user. Both paths use the same control.

At user creation

  1. Search for Users and click Create User. The Add user dialog is displayed.

  2. Fill in the user fields. In the Multifactor authentication dropdown, select Email.

  3. Click Add user.

On an existing user

  1. Search for Users and open the user.

  2. On the General tab, edit the user. In the Multifactor authentication dropdown, select Email and save.

The Multifactor authentication dropdown shows FIDO2, TOTP Authenticator, Radius, and Email. Other methods (such as Duo) appear only when the corresponding integration is configured at the tenant level.

End-User Sign-In Experience

  1. The user enters their Username, Password, and Domain on the Log in to continue screen and clicks Log In.

  2. The Enter Email Pin screen is displayed with the message: "You have just been sent a confirmation pin code to your email address. Please check your email and enter it below. Note that old confirmation pin codes will not work."

  3. A pin code email arrives within approximately 10 seconds. Subject: [SecretServer] Pin Code. Body: "Here is your pin code: NNNNNN" (a six-digit code).

  4. The user enters the six-digit code in the Pin code field and clicks Log In.

  5. On success, the user lands on their default landing page (the All Secrets view for a user with no other customization).

Resending a Pin Code

If the user does not receive the email or needs a new code, they can click Resend Pin Code on the Enter Email Pin screen. A new code is generated and emailed; the previous code becomes invalid.

Invalid Pin Behavior

When a user enters an incorrect pin code, the page returns to the Log in to continue screen and displays the banner: "The Pin Code you entered is invalid." The user must re-enter their username and password; a new pin code is sent on the next successful password submission.

Each incorrect pin counts as a login failure against the Security Hardening Guide policy — the same counter that catches wrong-password attempts. There is no separate MFA-specific lockout threshold.

Lockout

When the Maximum Login Failures threshold is reached, the account is locked and subsequent sign-in attempts display the generic banner: "Login failed." The lockout duration is set by the Maximum Login Failures configuration in Secret Server.

To unlock a user:

  1. Search for Users, then find the locked user. You may need to enable Include disabled or change the status filter.

  2. Open the user. On the General tab, click the Options dropdown and select Unlock user.

A role with the Administer Users permission is required to unlock an account.

Audit Events

Email 2FA activity is recorded on the user's Audit tab. Open the user record and click Audit. The following event names appear:

Event Meaning
CREATEUSER An administrator created the user account.
LOGIN SUCCESS Logged on each completed authentication phase. A user with email 2FA enabled who fully signs in generates two consecutive LOGIN SUCCESS events (one for the password phase, one for the pin phase). A LOGIN SUCCESS followed immediately by a LOGIN FAILED INVALID TWOFACTOR indicates the password succeeded but the pin did not — the user did not complete sign-in.
LOGIN FAILED INVALID TWOFACTOR The pin code entered was incorrect. The Notes column contains "The Pin Code you entered is invalid."
LOGIN FAILED with Note UserIsLockedOut A sign-in was attempted while the account is locked. The credentials are not evaluated.
LOGIN FAILED with Note AuthenticationFailed A general authentication failure not captured by a more specific event.
ACCOUNTLOCKEDFAILEDATTEMPTS The Maximum Login Failures threshold has been reached and the account is now locked.
EDIT by Delinea System System update to the user record. The failure-counter increment shows, for example, LoginFailures: 3 to 4;. When the counter trips the threshold, the same event records the lockout in one note: LoginFailures: 10 to 11; IsLockedOut: false to true; LockedOutReasonId: blank to LoginAttemptsExceeded;.
EDIT by an admin user An administrator-initiated change. An unlock action records the inverse transition: IsLockedOut: true to false; LockedOutReasonId: LoginAttemptsExceeded to blank;.
CHANGEPASSWORD The user changed their own password — for example, on the first-login forced password change.
LOGOUT The user logged out explicitly.
There is no separate audit event for pin codes being sent; only pin codes being consumed (correctly or incorrectly) generate audit entries. To trace pin-send events, review the user's audit history alongside the SMTP server logs (on-premises) or contact Delinea support (cloud).

Limitations

  • Email 2FA is dependent on mail delivery. Mail-server outages, greylisting, or aggressive spam filtering can delay or block the one-time code.

  • Application accounts cannot use email 2FA because they cannot log in interactively. See the Application Account field on the User Settings page.

  • An incorrect pin returns the user to the username/password screen rather than keeping them on the pin entry screen. Each retry therefore requires re-entering the username and password.