Okta Identity Engine release notes (Preview)

Version: 2026.02.0

February 2026

Generally Available

Group push for Zoho Mail

Group push is now available for the Zoho Mail app integration. See Zoho Mail supported features.

Okta Provisioning agent, version 3.0.7

Okta Provisioning agent 3.0.7 is now available. This release contains the following updates:

  • The Generic Database Connector now supports Base64 encoded path parameters.
  • Root ownership and permissions for the /var/run directory are restored in the OPP agent RPM build.

Access revoked notifications

For access requests that are managed by conditions, requesters now get notified when their access to a resource expires. Requesters are notified by email, Slack, or Microsoft Teams depending on your configurations.

Admin Console French translation

Now when you set your display language to French, the Admin Console is also translated. See Supported display languages.

Device assurance OS version update

The following OS versions are now supported in device assurance policies:

  • iOS 26.2.1
  • iOS 18.7.4

The following versions are no longer supported:

  • Windows 11 (10.0.22621.0, 10.0.22621.6060)

Updated Sign-In Widget instructions for Chrome 145

The remediation instructions in the Sign-In Widget now reflect Chrome 145 permission changes that differentiate between local and loopback networks. This update describes the permission as Access other apps and services on this device, rather than Look for and connect to any device on your local network. The updated instructions ensure that users see accurate guidance when prompted to allow Okta Verify to communicate with the browser. See Chrome device permissions.

Agents page description

The Agents page now provides a helpful description so admins can quickly understand the scope and purpose of the page. See View your org agents' status.

Admin Console recent search results

The spotlight search now displays the admin's recent search results. See Admin Console search.

Linux as a platform condition

Okta now supports Linux as a device platform condition in the following policy types and policy rules:

  • App sign-in policies
  • Okta account management policy rules
  • Identity provider routing rules

Protected action notifications removed

For orgs that have migrated to OIDC, toast notifications no longer appear when an admin performs a protected action. See Protected actions in the Admin Console. This update is following a slow rollout process.

More granular maximum clock skew options for LDAP incremental imports

More granular maximum clock skew intervals for LDAP incremental imports have been added to allow for better tuning and improved performance. You can now configure the clock skew to 1, 2, 5, or 10 minutes. This granularity helps you improve import speed by using a clock skew value closer to the actual maximum clock drive of your LDAP server. It also prevents missed updates when the server's clock temporarily moves backward, which ensures data accuracy.

Radius Agent version 2.26

This version includes internal improvements and fixes.

Detection settings in session protection

Tailor ITP to your org's security priorities to gain control and balance security with a seamless user experience. With new detection settings, you can define which session context changes trigger policy re-evaluations, helping you focus only on what truly matters. See Session protection.

Enhanced provisioning controls for Microsoft Office 365

Admins can now configure the Microsoft Office 365 integration to sync only user profile attributes, or to sync attributes, licenses, and roles. This setting helps prevent Okta from overwriting licenses and roles that are managed directly in Microsoft. See Provision users to Office 365.

New System Log objects for security.request.blocked events

The System Log now displays the following IpDetails objects for dynamic and enhanced dynamic zones:

  • Operator indicates whether the type is VPN or Proxy
  • Type includes values like VPN, Proxy, and Tor
  • IsAnonymous indicates if the proxy is anonymous

These objects move risk and behavior telemetry out of string-only keys in the debug context and into dedicated, structured fields in the security context event. This change improves risk visibility and eliminates the need for string parsing.

Grace period for device assurance

Occasionally, users' devices might fall out of compliance with security policies due to temporary conditions such as missed software updates or unapproved network connections. Without a grace period, they would be immediately blocked from accessing critical resources, which disrupts productivity and causes frustration. The Grace period for device assurance feature allows you to define a temporary window during which non-compliant devices can still access resources. This gives users time to remediate issues without being locked out, balancing productivity with security standards. See Configure remediation.

Dynamic OS version compliance for device assurance

You can configure OS version compliance by using device assurance. However, you have to manually update the policies every time a new OS version or patch is released. With Dynamic OS version compliance, Okta updates device assurance policies with the latest OS versions and patches, eliminating the need for manual updates. With this feature you can ensure OS version compliance in your org without tracking OS releases. See Add a device assurance policy.

Early Access

Device-Bound Single Sign-On

Device-Bound Single Sign-On initiates a hardware-protected session for seamless access to apps after users sign in to Okta-joined macOS and Windows devices. This feature provides session replay protection and a streamlined authentication experience. See Device-Bound Single Sign-On.

Okta FastPass using SSO extension now supports Chrome on macOS

You can now enable the SSO extension support for Chrome on macOS option to support use of the SSO extension on Chrome 145 or later. This ensures seamless authentication for users on the latest browser versions on macOS.

Okta as a fallback identity provider

This feature redirects users to Okta to authenticate if the primary identity provider can't establish their identity. This can happen because of explicit rejections, like invalid credentials and MFA failures, or if an existing user session can't be silently verified, such as during a prompt=none OIDC request or IsPassive=true SAML request. See Configure identity provider routing rules.

Authentication Activity report

The Authentication Activity report provides detailed authentication insights including Okta FastPass usage, complementing the MFA Activity report. You can view activity filtered by device type (Android, iOS, macOS, Windows), management state (managed, unmanaged), registration status (registered, unregistered), and verification method (TOTP, Push, Okta FastPass). See Authentication Activity report.

OAuth 2.0 support for custom email providers

You can now configure custom email providers with OAuth 2.0 authentication. You can choose between two OAuth 2.0 client configurations to fetch access tokens and use those access tokens to authenticate with your email provider's SMTP server. See Use your own email provider.

Detect and discover AI agents

Use the Security Access Monitor browser plugin and Okta Identity Security Posture Management (ISPM) to get visibility into any new OAuth grants to apps and the consequent shadow AI agent usage for your org. The plugin monitors managed browsers for any new OAuth grants to apps and AI agents. ISPM captures OAuth grant telemetry, analyzes the data, and provides you with the visibility you need to identify every third-party app that your users authorize. This helps you mitigate risks related to shadow OAuth grants and AI agents. After you configure the plugin, you can find all new OAuth grants across your org by going to NHIs and AI agents > Browser OAuth Grants page in the ISPM console. See Detect and discover AI agents.

On-premises connector for Generic Databases

The new on-premises connector for Generic Databases allows admins to manage users and entitlements in on-premises databases using the Okta On-Prem SCIM Server. This connector supports Oracle, MySQL, PostgreSQL, and Microsoft SQL Server. It enables orgs to apply governance features like Access Requests, Certifications, Lifecycle Management, and Entitlement Management to their database environments. See On-premises Connector for Generic Databases.

Bot protection

Bot protection enables orgs to automatically identify and mitigate bot traffic by configuring remediation actions within the Identity Threat Protection (ITP) landing page. See Bot protection.

Skip counts for authenticator enrollment grace periods

This feature allows admins to define a number of skips end users can defer enrollment into an authenticator, as well as customizations to the prompt when end users see the grace period. See Authenticator enrollment policies.

Passkeys rebrand

The FIDO2 (WebAuthn) authenticator is being rebranded to Passkeys (FIDO2 WebAuthn), and Okta is introducing enhanced administrative controls and a streamlined user experience. This update centralizes passkey management through a consolidated settings page, allows for customized authenticator naming, and introduces a dedicated Sign in with a passkey button within the Sign-In Widget. These enhancements simplify the authentication journey and provide users with a more intuitive sign-in process with the Sign in with a passkey button. See Configure the FIDO2 (WebAuthn) authenticator.

Enhanced breached credentials protection

This feature provides a premium breached credentials detection feed for Okta Customer Identity (OCI) customers with Identity Threat Protection which identifies more compromised credentials sooner. See Breached credentials protection.

User enumeration prevention enhancement

Admins can now configure which authentication methods users are prompted for when they sign in from an unknown device or browser and trigger enumeration prevention. This enhances org security by adding more protection to sign-in attempts. See General Security.

Fixes

  • When an admin ran a delegated flow from the Admin Console, there was sometimes a delay before the flow was invoked in Workflows. (OKTA-803849)

  • Downloaded versions of the Session Protection Violation report displayed an outdated report name. (OKTA-945660)

  • The Okta user status found in Get User API calls was inconsistent with the status in the User Profile page of the Admin Console. (OKTA-998996)

  • Deprovisioning tasks on the Tasks page contained a grammatical error in the message that stated when the app was unassigned. (OKTA-1049153)

  • Users who entered an invalid activation code in the Sign-In Widget (third generation) were redirected to an error page and had to restart the sign-in flow. (OKTA-1062744)

  • On the Authenticator groups page, the Edit option didn't work if the group contained an AAGUID that had been removed from the FIDO Metadata Service (MDS) catalog. (OKTA-1065999)

  • No policy.rule.update event was recorded in the System Log when the Session Protection Status was changed. (OKTA-1067983)

  • The CSP allowlist blocked the CAPTCHA script from running on the Agentless Desktop SSO endpoint. (OKTA-1079691)

  • When importing users from Office 365 using Profile Sync, the mail attribute didn't update the primary email field in the user profile. (OKTA-1080609)

  • Users were required to sign out twice from the Settings page when both the End User Settings V2 and Device-Bound SSO features were enabled. (OKTA-1082227)

  • When users clicked the Microsoft Teams tile on the Okta End-User Dashboard, they were directed to an error page stating that "Classic Teams is no longer available." This occurred because the destination URL was outdated following a change by Microsoft. (OKTA-1084267)

  • The header on the authorization server page sometimes rendered twice. (OKTA-1089098)

  • For some orgs using ITP, network zone matching failed when policies were re-evaluated during a session. (OKTA-1091799)

  • Admins could delete authenticators that were used in app sign-in policies. (OKTA-1093364)

  • Some users saw an infinite redirect loop when they tried to access their account settings using the Safari browser. (OKTA-1093837)

Doc Updates

Documentation in French

Documentation for Okta Classic Engine and Okta Identity Engine is now published in French.

Improvements to Okta release notes

Release notes for the following products now cover the current month and the previous 12 months on a single page for faster browsing:

This improvement allows you to find recent updates more efficiently. If you need release notes for a release older than 12 months, contact Okta Support.

Okta Integration Network

  • Peaxy Lifecycle Intelligence (OIDC) is now available. Learn more.

  • HashiCorp Vault (OIDC) is now available. Learn more.

  • Instagram (SWA) was updated.

  • Mailchimp (SWA) was updated.

  • Solarwinds Customer Portal (SWA) was updated.

  • Peaxy Lifecycle Intelligence (OIDC) has a new app name.

Weekly Updates

2026.02.1: Update 1 started deployment on February 11

Generally Available

Device assurance OS version update

The following OS versions are now supported in device assurance policies:

  • Android 13, 14, 15, 16 security patch 2026-02-01

To view the latest OS support updates, see Okta Device Assurance: Supported OS levels.

Fixes

  • Group rules sometimes failed when they were executed immediately after a group rule was deleted. (OKTA-880814)

  • Group push sometimes failed during deployments. (OKTA-941489)

  • In orgs with the Enable Custom Admin Roles for Identity Providers Early Access feature enabled, admins with View IdP or Manage IdP custom admin roles couldn't configure existing IdPs, even though they had the right permissions. (OKTA-1091232)

  • When the display language was set to French, the Agents and API > Tokens pages weren't translated. (OKTA-1104991)

  • App imports failed with a BeanCreationNotAllowedException error when system deployments interrupted the process. (OKTA-1105164)

  • When a user's API status was suspended, but their user status differed, their password was incorrectly able to be expired. (OKTA-1108658)

Okta Integration Network

  • HashiCorp Vault (OIDC) is now available. Learn more.

  • Peaxy Lifecycle Intelligence (OIDC) is now available. Learn more.

  • Peaxy Lifecycle Intelligence (OIDC) has a new app name.

  • Solarwinds Customer Portal (SWA) was updated.

  • Mailchimp (SWA) was updated.

  • Instagram (SWA) was updated.

Preview Features

Admin Console recent search results

The spotlight search now displays the admin's recent search results. See Admin Console search.

Linux as a platform condition

Okta now supports Linux as a device platform condition in the following policy types and policy rules:

  • App sign-in policies
  • Okta account management policy rules
  • Identity provider routing rules

Detection settings in session protection

Tailor ITP to your org's security priorities to gain control and balance security with a seamless user experience. With new detection settings, you can define which session context changes trigger policy re-evaluations, helping you focus only on what truly matters. See Session protection.

New System Log objects for security.request.blocked events

The System Log now displays the following IpDetails objects for dynamic and enhanced dynamic zones:

  • Operator indicates whether the type is VPN or Proxy
  • Type includes values like VPN, Proxy, and Tor
  • IsAnonymous indicates if the proxy is anonymous

These objects move risk and behavior telemetry out of string-only keys in the debug context and into dedicated, structured fields in the security context event. This change improves risk visibility and eliminates the need for string parsing.

Maximum consecutive characters setting for passwords

You can now set a maximum number of consecutive repeating characters in passwords. This feature enhances security by allowing you to customize your password strength requirements.

Block words from being used in passwords

You can now use Okta Expression Language to block words from being used in passwords. This feature enhances security by allowing you to customize your password strength requirements.

Workday supports incremental imports

Workday now has the ability to run immediate, incremental imports. Incremental imports are much faster than full imports. However, they don't detect when users only have changes to custom attributes, so you must periodically run a full import to capture these changes. See Incremental imports

Grace period for device assurance

Occasionally, users' devices might fall out of compliance with security policies due to temporary conditions such as missed software updates or unapproved network connections. Without a grace period, they would be immediately blocked from accessing critical resources, which disrupts productivity and causes frustration. The Grace period for the device assurance feature allows you to define a temporary window during which non-compliant devices can still access resources. This gives users time to remediate issues without being locked out, balancing productivity with security standards. See Add a device assurance policy

Same-device enrollment for Okta FastPass

On orgs with Okta FastPass, the Okta Verify enrollment process has been streamlined: - Users can initiate and complete enrollment on the device they're currently using. Previously, two different devices were required to set up an account. - Users no longer need to enter their org URL during enrollment. - The enrollment flow has fewer steps. This feature is supported on Android, iOS, and macOS devices.

Prevent new single-factor access to the Admin Console

This feature prevents admins from configuring any new single-factor access to the Admin Console. This feature is currently available to new orgs only.

Application Entitlement Policy

Admins can now override attribute mapping when assigning apps to individuals or groups. You can also revert attributes to their default mappings. See Override application attribute mapping. This feature will be gradually made available to all orgs.

Dynamic OS version compliance for device assurance

You can configure OS version compliance by using device assurance. However, you have to manually update the policies every time a new OS version or patch is released. With Dynamic OS version compliance, Okta updates device assurance policies with the latest OS versions and patches, eliminating the need for manual updates. With this feature you can ensure OS version compliance in your org without tracking OS releases. See Add a device assurance policy.

End-user setting for nicknaming factors

End users can now nickname their phone, WebAuthn, and Okta Verify factors. If they have enrolled multiple instances of a factor, giving nicknames helps them identify the factors quickly (for example, "My personal cellphone" or "My office MacBook TouchID"). See the end-user documentation. This is a self-service feature.

Descriptive System Log events

When Okta identifies a security threat, the resulting {{security.threat.detected}} System Log entry now provides a descriptive reason for the event. See System Log.

New flexible LDAP

A new LDAP schema allows flexibility by moving email to the custom schema and making first name, last name, username, and UID optional. This avoids error scenarios when an LDAP schema doesn't include specific attributes.

ThreatInsight coverage on core Okta API endpoints

Okta ThreatInsight coverage is now available for core Okta API endpoints:

Based on heuristics and machine learning models, Okta ThreatInsight maintains an evolving list of IP addresses that consistently show malicious activity across Okta's customer base. Requests from these bad IP addresses can be blocked or elevated for further analysis when Okta ThreatInsight is enabled for an Okta org. Previously, Okta ThreatInsight coverage only applied to Okta authentication endpoints (including enrollment and recovery endpoints). With this release, enhanced attack patterns are detected for authentication endpoints and limited attack patterns are also detected for non-authentication endpoints. There are no changes to the existing Okta ThreatInsight configuration. You can still enable Okta ThreatInsight with log and block mode, log mode, and exempt network zones. A new Negative IP Reputation reason is available for high security.threat.detected events. See System Log events for Okta ThreatInsight.

SSO apps dashboard widget

The new SSO apps widget displays the number of user sign-in events across each of your org's apps over a selected period of time. You can use it to see which apps are used most frequently and to easily monitor the authentication activity across your org.

Email failure events in the System Log

Admins can now view email delivery failure events in the System Log. This helps admins better monitor the email event activity in their org. See System Log.

Improvements to the self-service unlock process

Earlier versions of the self-service unlock (SSU) flow created unnecessary friction in the end user experience. The newly enhanced SSU feature introduces a seamless magic link experience in emails sent out to unlock accounts. Users no longer need to provide consent when using the same browser. In addition, after successfully unlocking their account, clicking the email magic link counts towards the app's assurance policy. After the assurance requirements are met, the user is signed directly in to the app.

Improvements to the self-service registration experience

Earlier versions of the self-service registration (SSR) flow used a complicated array of templates to send activation emails to end users. The simplified SSR flow reduces this to only two email templates with customized welcome messages. If your app requires immediate verification of the end user's email address, Okta uses the Registration - Activation template. This template includes a magic link for a smoother sign-in experience. If email verification isn't immediately required to sign in to the app, Okta uses the Registration - Email Verification template. This template includes a link for end users to complete email verification at any time after they successfully sign in to the app.

Device Authorization grant type

Advancements in internet technology have seen an explosion of smart devices and the Internet of Things. Consumers need to sign in to apps that run on these devices, but the devices either lack support for a web browser or have limited ability for input, such as smart TVs, car consoles, and thermostats. As a result, users resort to insecure authentication solutions that are error prone and time consuming.

The Device Authorization grant feature is an OAuth 2.0 grant type that allows users to sign in to input-constrained devices and also to devices that lack web browsers. This feature enables users to use a secondary device, such as a laptop or mobile phone, to sign-in to apps that run on such devices.