Email Authenticator for MFA not sending an email using the embedded SDK

ups_braican · May 8, 2025, 7:53pm

I’m building authentication into my Next.js (v15) app using the Okta embedded SDK, using the IDX API. I’m struggling with getting the SDK to fire the email challenge when the Okta Email Authenticator factor is chosen as part of my MFA flow. My original thought was that this was a configuration issue with my Okta org or app, but I tested the login in the same Next.js app using the embedded widget instead (pointing to the same Okta app), the email challenge was sent when that authenticator is chosen.

My flow starts with a form with a username and password that hits a server action on submit. Within the server action, I’m starting the idx flow with the authenticate method and passing the username and password.

export const oktaAuthClient = new OktaAuth({
  issuer: `${process.env.NEXT_PUBLIC_OKTA_ISSUER}/oauth2/default`,
  clientId: process.env.NEXT_PUBLIC_OKTA_CLIENT_ID,
  redirectUri: process.env.NEXT_PUBLIC_OKTA_REDIRECT_URI,
  scopes: ["openid", "profile"],
  pkce: true,
  storageManager: {
    token: {
      storageProvider: storageProvider,
    },
  },
  services: {
    autoRenew: false,
    autoRemove: false,
  },
});

function onSubmit(formData) {
  const username = formData.get("username");
  const password = formData.get("password");

  const transaction = await oktaAuthClient.idx.authenticate({
    username,
    password,
  });
}

Upon successful authentication, the PENDING state gets returned with the next step of select-authenticator-authenticate, at which point the app will show the authenticator options; one of which is the okta_email option:

When selecting this option, the form handles it with the following SDK function:

function onSubmit(formData) {
  const authenticator = formData.get("authenticator");
  const transaction = await oktaAuthClient.idx.proceed({ authenticator });
}

Which results in the following value for transaction.nextStep:

  nextStep: {
    name: 'authenticator-verification-data',
    inputs: [ [Object] ],
    type: 'email',
    authenticator: {
      profile: [Object],
      resend: [Object],
      type: 'email',
      key: 'okta_email',
      id: <REDACTED>,
      displayName: 'Email',
      methods: [Array],
      enrollmentId: undefined
    },
    canResend: true
  },

My UI then displays the input for the email verification code. I’d expect the SDK to fire the email with the verification code at this point, but it doesn’t. Something that also confuses me is that based on the “Sign in with password and email factors” guide, I should expect the nextStep.name to be “challenge-authenticator”, but it’s “authenticator-verification-data”. I’m unable to find much documentation around this step name.

Is there anything I’m missing that I need to do to initiate an email challenge via the SDK?

Post		Replies	Views
Using idx to authenticate PKCE and OIDC flow OAuth/OIDC	2	2378	February 13, 2024
How To Access The /Verify Network Response In My JavaScript Using Okta Widget and MFA OAuth/OIDC widget , oauth	2	2901	February 12, 2024
SDK IDX Use Okta Verify TOTP? API idx , mfa	4	43	February 16, 2025
Email is not received with forgotPassword authn API when MFA is enabled in Recovery flow Questions api , sdk	2	1443	July 24, 2024
MFA set for previous trial gets persisted and prevents user from selecting a different MFA method Questions idx	3	1640	September 19, 2023

Email Authenticator for MFA not sending an email using the embedded SDK

Related topics