Password reset and account recovery

Identity Engine enhances password reset and account recovery for users.

In Identity Engine, you can create policy rules for self-service password reset (SSPR). Users can reset their passwords with email, phone, or Okta Verify with Push, and they can provide additional verification with any enrolled authenticator. This is a change from Classic Engine, which only supports email, SMS, and phone for resets and Security Question for additional verification.

Identity Engine consolidates authenticator enrollments for recovery and authentication. In Classic Engine, users can enroll in SMS for authentication but not for SSPR. In Identity Engine, a single authenticator enrollment works for both recovery and authentication.

Changes to the user interface

In Identity Engine, SSPR options are in Password Policy - Add Rule.

In the Admin Console, go to Security > Authenticators.

Edit the password policy. Under the Add Rule button, click Password Reset. When you add or edit a rule, you can select Okta Verify Push and the option to use any enrolled factor for password resets.

Classic Engine Identity Engine

Password Policy Dialog

Password Policy - Add Rule Dialog

Reset password Sign-In Widget - Reset Password - Classic Engine. Sign-In Widget - Reset your password - Identity Engine.
Sign-In Widget Sign-In Widget - Classic Engine. Sign-In Widget - Identity Engine.

Authenticators and policies

If a password policy doesn’t allow password changes, you can't enable password resets.

Be sure that you enable the Okta Verify, Phone, Email, and Security Question authenticators if you want to make them available in the password policy. You also need to specifically enable the Okta Verify with Push feature to see it as a recovery option. If you decide to disable an authenticator later, you have to disable it from the password policy first.

User experience

These enhancements secure and simplify the enrollment process for users:

  • The Welcome Wizard isn't available in Identity Engine. Users enroll in recovery factors in the Sign-In Widget.
  • In Identity Engine, users in a LOCKED status can perform password resets. In Classic Engine, LOCKED users are unable to use SSPR.
  • When you initiate a password reset email for users in Identity Engine, they can reset their password directly from a link in the email. When you initiate a password reset email for users in Classic Engine, they have to answer a Security Question first (if the password policy requires it).
  • If you enable the Any enrolled authenticator used for MFA/SSO option in the password policy, users need two different authenticator types to satisfy reset requirements. For example, if a user selects Okta Verify with Push to initiate, they must use a different authenticator, such as WebAuthn, as a second factor.
  • If a Classic Engine user enrolled in the Security Question factor for both MFA and recovery, they see their MFA questions when they authenticate in Identity Engine. They see their recovery-linked questions when they attempt self-service password resets in Identity Engine. For new Security Question enrollments created in Identity Engine, authentication and recovery use the same Security Questions.
  • If the password policy allows the Email or Security Question authenticators for recovery, users must enroll in both of these authenticators. If the password policy allows the Phone authenticator for recovery, users don't have to enroll in the Phone authenticator.
  • If two policies require the same authenticator, users only need to enroll in it once.