Password reset and account recovery

After you upgrade to Identity Engine, learn about the changes to password reset and account recovery.

Change summary Classic Engine: Users can reset their passwords with the Email, SMS, and Phone factors. SMS works for authentication but not password reset, and Security Question works for additional verification only.

Identity Engine: Password reset and account recovery is now called self-service account recovery. A single authenticator enrollment works for both recovery and authentication, and any enrolled authenticator provides additional verification.

Admin experience

If a password policy doesn’t allow password changes, you can't enable password resets.

Be sure that you enable the Okta Verify, Phone, Email, and Security Question authenticators if you want to make them available in the password policy. Enable the Push feature in Okta Verify to enable it as a recovery option.

If you decide to disable an authenticator later, you must disable it from the password policy first.

User experience

These enhancements secure and simplify the enrollment process for users:

  • The Welcome Wizard isn't available in Identity Engine. Users enroll in recovery factors in the Sign-In Widget.
  • Users in a LOCKED status can perform password resets.
  • When you initiate a password reset email for users, they can reset their password directly from a link in the email.
  • If you enable the Any enrolled authenticator used for MFA/SSO option in the password policy, users need two different authenticator types to satisfy reset requirements.
  • If a Classic Engine user enrolled in the Security Question factor for both MFA and recovery, they see their MFA questions when they authenticate in Identity Engine. They see their recovery-linked questions when they attempt self-service password resets in Identity Engine. For new Security Question enrollments created in Identity Engine, authentication and recovery use the same Security Questions.
  • If two policies require the same authenticator, users only need to enroll in it once.
Related topics Configure the Email authenticator

Configure the Okta Verify authenticator

Configure the Password authenticator

Configure the Phone authenticator

Configure the Security Question authenticator

Self-service account recovery

Configure the FIDO2 (WebAuthn) authenticator