OOTB One time password / Two Factor Authentication

Dear all,

I have a small question and hopefully someone has solved this already. When I enable One Time Password via e-mail, only when the operator logs in for the first time -or- when (s)he needs to change the password (for example via Force new password on next logon), the e-mail with the OTP code will be send to that operator. In all other instances of logging in - from either the same terminal as well as from a different PC - the operator is logged in without Pega asking for the OTP.

Any ideas on the logic behind this?

I have tried on Pega 7.4, 8.2 and 8.3.

We did manage to set pyLongLivedToken in a DT pyChangePasswordOTPParams and verified it was called before pxSendOTP but it did not make any difference.

Alternatively: how do you override the OTP behavior using Custom Authentication Service? The page I keep getting directed to only mentions to create either activity or JSON service, but no further information on how to implement this.

Kindest regards,


Keep up to date on this post and subscribe to comments

September 2, 2019 - 8:30am

Partially answering my own question: You need to add Multi-Factor authentication to the Authentication Service record as well (for example: "Platform Authentication", "Security Policies" add: "Multi-Factor Authentication").

Next step: how do I override the code generation and validation for the entire system?

September 16, 2019 - 12:31pm

I am also trying to do the same to force the Multi Factor Authentication every time user logins ? Any luck ?




September 18, 2019 - 2:49am


Not more than I stated before. You can add Two Factor Authentication in the Authentication Service rule (see image). But on how to implement different TFA implementations; I don't know. Documentation about it is horribly bad in my opinion.