Sign-In Widget (third generation)
This is an Early Access feature. To learn how to enable it, see Manage Early Access and Beta features.
The Sign-In Widget enables registration, enrollment, verification, and recovery experiences for your users. It's where everyone in your org starts their Okta session.
The third generation of the Sign-In Widget offers the same user experience as the second generation, and adds accessibility improvements in color contrast, focus management, and screen reader behavior. It establishes a foundation for improvements in customization and globalization.
Is the third generation right for your org?
If your org prioritizes accessibility requirements or wants to avoid future migration efforts, consider enabling the third generation.
If your org uses registration hooks, CSS styling, or one of the unsupported authenticators, you shouldn't enable the third generation yet. Those features may be available in future releases. Check this page for updates.
Authenticators
The third generation improves the self-service password reset flow by dynamically updating the password requirements as they're met. If a user submits a password that doesn't meet your requirements, they're notified of the ones they missed.
The third generation doesn't currently support these authenticators:
-
Duo Security
-
RSA
-
Symantec VIP
-
IdP authenticator
-
Social login
-
Custom Authenticator
Branding
The third generation makes multibrand customization easier, but it doesn't support custom CSS overrides. If your org uses the code editor to customize a sign-in page, those customizations don't migrate.
Browsers
The third generation supports most modern browsers, including Chrome, Safari, Firefox, and Edge. The following browsers aren't supported:
-
Internet Explorer
-
Microsoft Edge Legacy
-
Embedded browsers like Microsoft Office
-
Hardware integrations like hand-held Android devices
Code configurations
The following configuration options aren't supported:
-
hide/show
-
off
-
before/after
-
useClassicEngine
-
otp
-
idpDisplay
-
cspNonce
-
hooks (per view)
The following Links API aren't supported:
-
backToSignInLink
-
helpLinks
Custom Buttons API aren't supported.
Deployment
You can use the third generation in the following ways:
-
Okta-hosted sign-in page (default): Okta provides a sign-in page that's available at your org's URL. By default, a user who signs in on this page is redirected to the Okta End-User Dashboard.
-
Okta-hosted sign-in page (customizable): Okta provides a sign-in page that you can customize and make available under a custom subdomain of your company's top-level domain.
The third generation doesn't support self-hosting.
Features
The third generation doesn't support Captcha or IdP Discover (routing rules).
Compare generations
Feature |
Second generation |
Third generation |
---|---|---|
Deployment | Redirect (Okta-hosted) Embedded (self-hosted) Pinning to a specific Okta-hosted version |
Redirect (Okta-hosted) Automatic deployment of latest EA version |
Authenticators | Email Password Okta Verify (Okta FastPass, push, TOTP) WebAuthn Smart Card IdP Google Authenticator YubiKey OTP SMS Security Question Custom Duo Security RSA Symantec VIP IdP authenticator Social login |
Email Password Okta Verify (Okta FastPass, push, TOTP) WebAuthn Smart Card IdP (PIV/CaC) Google Authenticator YubiKey OTP SMS Security Question |
Features | IdP Discovery (routing rules) Captcha |
|
Flows | Profile enrollment Authenticator enrollment Authenticator verification Forgot password Account unlock |
Profile enrollment Authenticator enrollment Authenticator verification Forgot password Account unlock |
Globalization |
All out-of-the-box translations String customization Bring your own language |
All out-of-the-box translations String customization Bring your own language Right-to-left languages (experimental, requires customization) |
Branding |
Branding and multibrands CSS overrides (code editor) |
Branding and multibrands |
Code configurations |
Config options:
Events:
Hooks:
Links API:
Custom Buttons API |
Config options:
Events:
Hooks:
Links API:
|
Restore the second generation widget
If you enable the third generation and find that it doesn't work for your org yet, you can restore the second generation.
-
In the Admin Console, go to .
-
Select the Sign-In Widget third generation toggle to turn it off.
-
Click Save.