When troubleshooting e-mail delivery:
a) Make sure the user's e-mail address is correct (in the Centrify Cloud Directory, Active Directory (GAL), LDAP or Google Directory).
b) Make sure that the user's e-mail system isn't blacklisting "donotreply@centrify.com" or modify the email template to reflect a whitelisted address.
Finally, as a good design choice, depending on your security posture, make sure that the user has several step-up mechanisms and ideally at least one multi-factor mechanism. As of 16.8 (current release) the options are:
- Password and User-defined question are just secrets > they don't qualify as step-up or MFA
- Phone call, Email, Text (SMS) are step-up mechanisms > can be relatively good mechanisms for Step-up authentication.
- Mobile authenticator (push), OATH OTP client and 3rd party RADIUS (e.g. SecurID, Symantec VIP, Vasco, etc) > satisfy the requirements for MFA (something you have) and are relatively easy to set up.
- If you have the App+ edition, you can use Strong Authentication (certificate-based authentication/smart card) using your PKI infrastructure as well.
Make sure that your Auth Profiles include an alternative delivery method.
R.P