Why FusionAuth Webhooks Show ONE_TIME_PASSWORD Authentication Type for Logins
-
In the login events from webhooks, I’m seeing many logins where authenticationType is set to ONE_TIME_PASSWORD. Our current configuration doesn’t seem to explain this, and as far as I know, we’re not using any OTP or MFA. What does this refer to?
-
Great question—this often causes confusion.
In FusionAuth, logging in after a Forgot Password flow is tracked as ONE_TIME_PASSWORD. That’s because, technically, FusionAuth uses a one-time password during that process. For example, if you look at the Change a User’s Password API, it returns a one-time password token. On the hosted pages, FusionAuth automatically consumes this token to sign the user in immediately after they reset their password via the forgot password link in their email.
So even without traditional OTP or MFA configured, these login events can appear as ONE_TIME_PASSWORD due to password reset flows.
-
-