Enable users to reset their own passwords

There are three ways to enable self-service password reset for your end usersEnd users are people in your org without administrative control. They can authenticate into apps from the icons on their My Applications home page, but they are provisioned, deprovisioned, assigned, and managed by admins.:

Email is the default recovery method for password policies and delegated authentication. You can add SMS and voice call as well, but you must ensure that your users configure them as authentication factors. See Multifactor Authentication

Organization-wide password policy

Note: The fields in the following procedures are unavailable if your org has enabled the group password policy feature.

To enable self-service password reset in your organization-wide password policy:

  1. In AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. Console, go to Security > Authentication > Password.
  2. Click Edit.
  3. Select Users can unlock their account with self-service.
  4. Click Save.

If you need to make other changes to your organization-wide policy, see Configuring an Organization-Wide Password Policy.

Configure voice call for self-service password resets

With voice call configured, end users receive a voice call containing a recovery code to their mobile device or land line phone.

To enable end users to reset their passwords using voice call:

  1. In Admin Console, go to Security > General.
  2. In the Organization section, click Edit.
  3. Enable the Allow Voice Call for self-service operations option.
  4. Click Save.

The call is made in the user's default language and cannot be customized. If the user's default language is not on this list, the call is made in English. For more details, see Voice Call Authentication.

Chinese (simplified) French (Canada)
Chinese (traditional) German
Dutch Italian
English (US) Japan
English (UK) Korean
English (Canada) Spanish
French Taiwanese

Configure SMS for self-service password resets

With SMS configured, end users can have Okta send them a text message with a password reset code.

To enable end users to reset their password using SMS:

  1. In Admin Console, go to Security > General.
  2. In the Organization section, click Edit.
  3. Enable the Allow SMS for self-service operations option.
  4. Click Save.

During the onboarding process, new end users must provide their name and username to activate their account, but they may postpone providing optional information like a phone number and a secondary email address. Users who haven't added this information are prompted to update their profile on the first day of the following month or the next time they sign in after the first. At that point, they can specify a phone number for SMS messages or choose to be reminded again the following month (again on the first day or the next time they sign in after the first).

The SMS feature includes an SMS Usage category on the Reports page. The SMS Usage Report enables admins to monitor the number of SMS messages sent.

Note: Invalid users who attempt entry through a Forgot Password or Unlock Account action will not see an error message. This is by design, because an error message could reveal if a user name represents a valid account.

Group password policy

Group password policies enforce password settings on the group or authentication-provider level. Like the organization-wide password policy, group password policies enable you to configure SMS and voice call for self-serve password resets. Group password policies can be applied to Okta-mastered or Active Directory-mastered users, but because Active Directory defines and enforces its own password settings, many group password policy options are unavailable for these users. Consider delegated authentication for Active Directory-mastered users.

Notes

  • This feature must be enabled for your org. If your org hasn't enabled this feature, you can set up self-service password reset in your organization-wide password policy.
  • Some orgs may use additional group password policy features to disable email as the default recovery method. Contact Okta Support for details.

To add a group password policy, see Creating Group Password Policies.

Delegated authentication

Use delegated authentication to enable self-service passwords resets for Active Directory-mastered end users.

Notes

  • This feature must be enabled for your org.
  • If you have the group password policy feature enabled, the self-service password reset settings described here are overridden and the fields are not available.
  • When this feature is enabled, bulk password expiration includes AD-mastered users.

To enable self-service password reset for AD-mastered users:

  1. In Admin Console, go to Security > Delegated Authentication > Active Directory.
  2. In Password Settings, click Edit.
  3. Enable Users can change their Active Directory passwords in Okta.
  4. Under Password Rules Message, enable Users can reset forgotten AD password in Okta.
  5. Click Save.

End user experience

After you configure the factors and enable self-service password reset, your end users can set up their phones for recovery.

New users

New users can set up their phones for SMS password reset the first time that they sign in to Okta:

  1. Click Add phone number.
  2. Enter a mobile phone number to receive an initial verification code.
  3. Enter the verification code to authenticate in to Okta.

Active users

Active end users can set up their phone for SMS password reset from their home page:

  1. Click the user name at the top of the home page, and then select Settings.
  2. In the Forgot Password Text Message section, click Add phone number.
  3. Enter a mobile phone number to receive an initial verification code.
  4. Enter the verification code to authenticate in to Okta.

Recover a password using SMS password reset

End users can recover their passwords with SMS when they attempt to sign in:

  1. On the sign-in page, click the Forgot password? link.
  2. Click Send Text Message and then continue through the reset prompts.

Note: Invalid users who attempt entry through a Forgot Password or Unlock Account action will not see an error message. This is by design, because an error message could reveal if a user name represents a valid account.

For more details, see Multifactor Authentication

Reset or reconfigure a phone

This is an Early AccessEarly Access (EA) features are opt-in features that you can try out in your org by asking Okta Support to enable them. Additionally, the Features page in the Okta Admin Console (Settings > Features) allows Super Admins to enable and disable some EA features themselves. feature. To enable it, contact Okta Support.

End users who lose a phone or get a new number can reset or reconfigure their phones by updating their Home > Settings page.

Top