Password reset and account recovery

Be sure that you enable the Okta Verify, Phone, Email, and Security Question authenticators if you want to make them available in the password policy. Enable the Push feature in Okta Verify to enable it as a recovery option.

If you decide to disable an authenticator later, you must disable it from the password policy first.

• The Welcome Wizard isn't available in Identity Engine. Users enroll in recovery factors in the Sign-In Widget.
• Users in a LOCKED status can't perform password resets.
• When you initiate a password reset email for users, they can reset their password directly from a link in the email.
• If you enable the Any enrolled authenticator used for MFA/SSO option in the password policy, users need two different authenticator types to satisfy reset requirements.
• If a Classic Engine user enrolled in the Security Question factor for both MFA and recovery, they see their MFA questions when they authenticate in Identity Engine. They see their recovery-linked questions when they attempt self-service password resets in Identity Engine. For new Security Question enrollments created in Identity Engine, authentication and recovery use the same Security Questions.
• If two policies require the same authenticator, users only need to enroll in it once.