Sign-In Widget (third generation)

This is an Early Access feature. To learn how to enable it, see Manage Early Access and Beta features.

The Sign-In Widget enables registration, enrollment, verification, and recovery experiences for your users. It's where everyone in your org starts their Okta session.

The third generation of the Sign-In Widget offers the same user experience as the second generation, and adds accessibility improvements in color contrast, focus management, and screen reader behavior. It establishes a foundation for improvements in customization and globalization.

Is the third generation right for your org?

If your org prioritizes accessibility requirements or wants to avoid future migration efforts, consider enabling the third generation.

If your org uses registration hooks, CSS styling, or one of the unsupported authenticators, you shouldn't enable the third generation yet. Those features may be available in future releases. Check this page for updates.

Authenticators

The third generation improves the self-service password reset flow by dynamically updating the password requirements as they're met. If a user submits a password that doesn't meet your requirements, they're notified of the ones they missed.

The third generation doesn't currently support these authenticators:

  • Duo Security

  • RSA

  • Symantec VIP

  • IdP authenticator

  • Social login

  • Custom Authenticator

Branding

The third generation makes multibrand customization easier, but it doesn't support custom CSS overrides. If your org uses the code editor to customize a sign-in page, those customizations don't migrate.

Browsers

The third generation supports most modern browsers, including Chrome, Safari, Firefox, and Edge. The following browsers aren't supported:

  • Internet Explorer

  • Microsoft Edge Legacy

  • Embedded browsers like Microsoft Office

  • Hardware integrations like hand-held Android devices

Code configurations

The following configuration options aren't supported:

  • hide/show

  • off

  • before/after

  • useClassicEngine

  • otp

  • idpDisplay

  • cspNonce

  • hooks (per view)

The following Links API aren't supported:

  • backToSignInLink

  • helpLinks

Custom Buttons API aren't supported.

Deployment

You can use the third generation in the following ways:

  • Okta-hosted sign-in page (default): Okta provides a sign-in page that's available at your org's URL. By default, a user who signs in on this page is redirected to the Okta End-User Dashboard.

  • Okta-hosted sign-in page (customizable): Okta provides a sign-in page that you can customize and make available under a custom subdomain of your company's top-level domain.

The third generation doesn't support self-hosting.

Features

The third generation doesn't support Captcha or IdP Discover (routing rules).

Compare generations

Feature

Second generation

Third generation

Deployment Redirect (Okta-hosted)

Embedded (self-hosted)

Pinning to a specific Okta-hosted version

 Redirect (Okta-hosted)

Automatic deployment of latest EA version
Authenticators Email

Password

Okta Verify (Okta FastPass, push, TOTP)

WebAuthn

Smart Card IdP

Google Authenticator

YubiKey OTP

SMS

Security Question

Custom

Duo Security

RSA

Symantec VIP

IdP authenticator

Social login

 Email

Password

Okta Verify (Okta FastPass, push, TOTP)

WebAuthn

Smart Card IdP (PIV/CaC)

Google Authenticator

YubiKey OTP

SMS

Security Question
Features IdP Discovery (routing rules)

Captcha

Flows Profile enrollment

Authenticator enrollment

Authenticator verification

Forgot password

Account unlock

 Profile enrollment

Authenticator enrollment

Authenticator verification

Forgot password

Account unlock

Globalization

 All out-of-the-box translations

String customization

Bring your own language

 All out-of-the-box translations

String customization

Bring your own language

Right-to-left languages (experimental, requires customization)

Branding

 Branding and multibrands

CSS overrides (code editor)

 Branding and multibrands

Code configurations

 Config options:

  • OktaSignIn

  • showSignIn

  • showSignInAndRedirect

  • remove

  • renderEl

  • on

  • authClient

  • issuer

  • clientId

  • redirectUri

  • codeChallenge

  • codeChallengeMethod

  • state

  • scopes

  • flow

  • recoveryToken

  • hide/show

  • off

  • before/after

  • useClassicEngine

  • otp

  • idpDisplay

  • cspNonce

  • hooks (per view)

Events:

  • ready

  • afterError

  • afterRender

  • transformUsername

Hooks:

  • Registration hooks: parseSchema, preSubmit, postSubmit

Links API:

  • registration

  • registration.click

  • backToSignInLink

  • helpLinks

Custom Buttons API

 Config options:

  • OktaSignIn

  • showSignIn

  • showSignInAndRedirect

  • remove

  • renderEl

  • on

  • authClient

  • issuer

  • clientId

  • redirectUri

  • codeChallenge

  • codeChallengeMethod

  • state

  • scopes

  • flow

  • recoveryToken

Events:

  • ready

  • afterError

  • afterRender

  • transformUsername

Hooks:

  • Registration hooks: parseSchema, preSubmit, postSubmit

Links API:

  • registration

  • registration.click

Restore the second generation widget

If you enable the third generation and find that it doesn't work for your org yet, you can restore the second generation.

  1. In the Admin Console, go to SettingsFeatures.

  2. Select the Sign-In Widget third generation toggle to turn it off.

  3. Click Save.

Related topics

Okta Sign-In Widget Upgrade

Configure a custom Okta-hosted sign-in page

Self-Service Registration