Self-service account recovery
Self-service account recovery allows active end users to reset their Okta passwords or unlock their accounts without contacting admin support.
You can configure self-service account recovery through a rule in your password policy.
Before you begin
Before configuring a password policy rule, be sure that you’ve enabled the password authenticator and the authenticators that the end user can choose to initiate the reset or unlock the account.
Configure self-service account recovery
- In the Admin Console, go to Security > Authenticators.
- In the Password row, click Actions > Edit.
- In an existing password policy, click Add Rule or edit an existing rule.
-
Configure these options as needed:
- IF User’s IP is – Specify whether Anywhere, In zone, or Not in zone will invoke the rule.
- THEN User can perform self-service:
- Password change (from account settings) - Users can change their password once they’ve authenticated with their password and another factor (if enrolled).
- Password reset - Users can reset a forgotten password by verifying with any authenticator that is configured in recovery settings.
- Unlock account - Users can unlock their account by verifying with any authenticator that is configured in recovery settings.
- AND Users can initiate recovery with:
- Okta Verify (Push notification only)
- Phone (SMS / Voice Call)
- AND Additional verification is:
- Not required – Users aren’t required to authenticate with a second factor.
- Any enrolled authenticator used for MFA/SSO – Users are required to authenticate with an MFA authenticator (Okta Verify, Email, Phone, or Security Key) as a second factor.
- Only Security Question – Users are required to answer a Security Question as a second factor.
-
Create or update the password policy rule to save your changes.
You can't use the same authenticator for both initiating recovery and providing additional verification. The authenticator that you select for the AND Additional verification is option must be different from the authenticator you select for the AND Users can initiate recovery with option.
Recommended configurations
There are some situations in which the way you configure your everyday Authentication authenticators and your Recovery authenticators can cause your users to be unable to authenticate when initiating account recovery.
The following table provides examples of configurations to avoid, explanations and recommendations on what to do instead:
Configuration to avoid |
Reason |
Use this configuration instead |
---|---|---|
In the Admin Console, go to Security > Authenticators, select Actions and Edit for the Email and Phone authenticators to view the Used for setting:
In the Admin Console, go to Security > Authenticators, and click Actions > Edit in the Password row. Click the pencil icon for the rule you want to examine:
|
When users attempt account recovery, they see the Email and Phone options to initiate the recovery. If the user selects Phone, they won't be able to complete the secondary verification because Email is configured for Recovery, not for Authentication. |
|
In the Admin Console, go to Security > Authenticators:
In the Admin Console, go to Security > Authenticators, and click Actions > Edit in the Password row. Click the pencil icon for the rule you want to examine:
|
When users attempt account recovery, they see both the Email and Okta Verify options to initiate the recovery. If the user selects Okta Verify, they won't be able to complete the secondary verification because Email is configured for Recovery, not for Authentication. |
|
In the Admin Console, go to Security > Authenticators, select Actions and Edit for the Email and Phone authenticators to view the Used for setting:
In the Admin Console, go to Security > Authenticators, and click Actions > Edit in the Password row. Click the pencil icon for the rule you want to examine:
|
Users won't be able to initiate the recovery process for this configuration; they won't be asked to enroll in Okta Verify or Phone because they're not set to Required in the enrollment policy. |
To use Phone, Okta Verify or both to initiate a recovery, ensure that these authenticators are set to Required as part of the enrollment policy. |
In the Admin Console, go to Security > Authenticators:
In the Admin Console, go to Security > Authenticators, and click Actions > Edit in the Password row. Click the pencil icon for the rule you want to examine:
|
When users attempt account recovery, they see both the Phone and Okta Verify options to initiate the recovery. If the user selects Okta Verify, they won't be able to complete the secondary verification because Phone is configured for Recovery, not for Authentication. |
|
In the Admin Console, go to Security > Authenticators, select Actions > Edit for the Email and Phone authenticators to view the Used for setting:
In the Admin Console, go to Security > Authenticators, and click Actions > Edit in the Password row. Click the pencil icon for the rule you want to examine:
|
When users attempt account recovery, they see the Okta Verify, Email and Phone options to initiate the recovery. If the user selects Okta Verify, they won't be able to complete the secondary verification because Email and Phone are configured for Recovery, not for Authentication. |
|
- Email and Phone are MFA authenticators that you can turn off for password reset or account unlock.
- Security Question can also be enabled as an additional verification step. See About MFA authenticators.
- When you select the self-service unlock option for LDAP-sourced Okta user accounts, the user account is unlocked in Okta, but it remains locked in the on-premises LDAP instance.
- Don't set all authenticators on the Security > Authenticators page, Enrollment tab to Optional. Set at least two non-Email authenticators to Required.
- Don't use the authenticator you select for everyday authentication for Recovery.
- To configure additional verification for the everyday authentication requirements of workforce users who must use multifactor authentication, use the Any enrolled authenticator used for MFA/SSO option: Go to Security > Authenticators > Setup tab, then click Actions > Edit for the Password item. Then select the Any enrolled authenticator used for MFA/SSO option on the Add Rule or Edit Rule dialog on the Password dialog.
Related topics
Configure the Password authenticator
Configure the Okta Verify authenticator