Make email an optional authenticator
Early Access release. See Enable self-service features.
This feature provides you with more granular control over email authenticator settings, including account recovery and unlocking, directly from the Admin Console. End users can manage the enrollment of the email authenticator from their End-User Dashboard.
How authentication works
Depending on how you've set up the authenticator enrollment policy, the email authenticator is either auto-enrolled or available as an option to end users for enrollment. This table describes how the enrollment works:
|
Email setting |
Enrollment behavior |
|---|---|
| Required | The user's primary email address is auto-enrolled. |
| Optional | Users might need to enroll their primary email address if they want to use it as an authenticator. |
| Disabled | Users might be prompted to enroll their primary email address if it's necessary for account recovery, but they can't use it for authentication. |
How account recovery works
When configuring self-service account recovery, you need to specify which authenticators end users can use to reset their password or unlock their account. End users must enroll at least one of these authenticators. If email is the only authenticator that you've specified for account recovery, then end users must enroll their email as an authenticator, unless you enabled recovery without enrollment.
Enrollment and recovery settings
You can manage email enrollment and recovery behavior for the end user with the following settings:
- Auto-enroll using account profile email when possible: This setting determines whether Okta auto-enrolls an end user's email as an authenticator.
- Send recovery email to user's primary and secondary email addresses even when the email authenticator has not been enrolled: This setting allows recovery emails to be sent to an end user's email, even if their email is not enrolled as an authenticator.
Review the following scenarios to ensure that your configuration does not prevent user access or blocks recovery paths.
Potential lockout
If the following conditions are met, end users can't recover their password and must contact an admin for support:
- Email is configured as the only recovery factor
- Users are not auto-enrolled through email
- Users are not allowed to recover without enrollment
Auto-enroll selection behavior
- Clearing the Auto-enroll checkbox ensures that the email authenticator is not automatically enrolled.
- Selecting this checkbox does not guarantee automatic enrollment. Enrollment occurs only if the email is required for recovery, the user completes email verification, or an admin updates the user profile.
Okta account management policy
If your org uses the Okta account management policy and the Auto-enroll checkbox is cleared, the email recovery option is available only if users enroll the email authenticator manually.
Disable email auto-enrollment
- Go to .
- On the Enrollment tab, choose a policy to update and click . For example, the Default Policy.
- Under Authenticators, in the Email section, select either Disabled or Optional for Enrollment.
- Clear the check box Auto-enroll using profile email when possible.
- Scroll down and click Update policy.
Enable recovery without enrollment
You can configure a setting that allows end users to receive password reset and account unlock emails to their primary profile email, even if users didn't enroll their email as an authenticator.
To configure the recovery email for unenrolled email:
- Go to .
- On the Setup tab, locate the Password authenticator and click .
- Select the Default Policy and choose a rule to update. For example, the Default Rule.
- Under Recovery Authenticators, in the Access control section, select This rule (legacy).
- For AND Users can initiate recovery with option, select the Email checkbox and select the checkbox Send recovery email to user's primary and secondary email addresses even when the email authenticator has not been enrolled. When this checkbox is selected, it allows end users to receive a recovery link.
- Scroll down and click Update rule.
Skip email auto-enrollment for new users
You can choose whether to enroll the email authenticator for an end user when they create them in Okta.
- If you want to auto-enroll the user's email as an authenticator: Activate the user using the activation link (Activate now or Activate later options).
- If you don't want to enroll the user's email as an authenticator: Set their password using the I will set password option.
Reset the email authenticator for users
If the Enrollment option is set to Optional or Required in the Email section, and if the user's email authenticator is enrolled, you can reset a user's email authenticator in .
Click the user and go to the user's profile page. On the page, go to .
The end-user experience
End users can manage the enrollment of their email authenticator through the Okta End-User Dashboard. The enrolled authenticator gets auto-updated when they successfully change their primary email. End users can also enroll another authenticator instead of their email for account recovery.
The end-user experience varies depending on how you configured the setting Auto-enroll using account profile email when possible:
- If the Auto-enroll checkbox is not selected: Users see their email as an optional authenticator and they can choose to enroll during login, rather than having it auto-enrolled.
- If the Auto-enroll checkbox is selected: Users might be enrolled automatically in some cases.
Enroll or remove the email authenticator
End users can enroll or remove their email authenticator in .
However, if the user removes the email authenticator when the self-service account recovery or enrollment policy needs it, they may be prompted to enroll again when they sign in the next time or it may be auto-enrolled.
If the user has enrolled their email as an authenticator and successfully changed their primary email address, the new email address automatically replaces the old email as an authenticator.