FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Why FusionAuth Webhooks Show ONE_TIME_PASSWORD Authentication Type for Logins

    Scheduled Pinned Locked Moved Solved
    Frequently Asked Questions (FAQ)
    webhooks webhook lambda
    1
    2
    1.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wesley
      last edited by

      In the login events from webhooks, I’m seeing many logins where authenticationType is set to ONE_TIME_PASSWORD. Our current configuration doesn’t seem to explain this, and as far as I know, we’re not using any OTP or MFA. What does this refer to?

      W 1 Reply Last reply Reply Quote 0
      • W
        wesley @wesley
        last edited by

        Great question—this often causes confusion.

        In FusionAuth, logging in after a Forgot Password flow is tracked as ONE_TIME_PASSWORD. That’s because, technically, FusionAuth uses a one-time password during that process. For example, if you look at the Change a User’s Password API, it returns a one-time password token. On the hosted pages, FusionAuth automatically consumes this token to sign the user in immediately after they reset their password via the forgot password link in their email.

        So even without traditional OTP or MFA configured, these login events can appear as ONE_TIME_PASSWORD due to password reset flows.

        1 Reply Last reply Reply Quote 0
        • W wesley marked this topic as a question on
        • W wesley has marked this topic as solved on
        • First post
          Last post