Self-service account recovery

Self-service account recovery allows active end users to reset their Okta passwords or unlock their accounts without contacting admin support.

You can configure self-service account recovery through a rule in your password policy. Or, if you want to require phishing-resistant authenticators when users perform these actions, see Okta account management policy.

Before you begin

  • Enable all the authenticators that you want to use for account recovery.
  • If you want to use Okta Verify for account recovery, enable the Push notification option.
  • Enable extra authenticators for use in non-recovery scenarios. These should be different from the authenticators used for recovery scenarios. You can't reuse the recovery authenticators for providing additional verification.
  • Set at least two non-email authenticators to Required in the authenticator enrollment policy. Okta recommends that you require users to enroll in multiple authenticators so that they have enough authenticators available for recovery and authentication.

Configure self-service account recovery

  1. Add a password policy.
  2. Optional. If you enabled the Okta account management policy feature but don't want to use it for self-service actions, set the Access control condition to Legacy.
  3. Configure the self-service options as needed.

Recommended configurations

Some configurations can block users from authenticating during account recovery. The following table provides examples of configurations to avoid, explanations, and recommendations on what to do instead.

Configuration to avoid

Reason

Use this configuration instead

In the Admin Console, go to SecurityAuthenticators, select Actions and Edit for the email and phone authenticators to view the Used for setting:

  • Email is set to Recovery

  • Phone is set to Authentication and recovery

  • No other authenticator is enabled or required to be enrolled for authentication

In the Admin Console, go to SecurityAuthenticators, and click Actions Edit in the Password row. Click the pencil icon for the rule that you want to examine:

  • The Email and Phone (SMS / Voice call) options are selected in the Users can initiate recovery with section

  • The Any enrolled authenticator used for MFA/SSO option is selected in the Additional verification is section

When users attempt account recovery, they see the Email and Phone options to initiate the recovery. If the user selects phone, they can't complete the secondary verification because email is configured for recovery only, not for authentication.

  • In the Recovery authenticators section of the Add Rule or Edit Rule dialog, only enable email to be allowed to initiate recovery.

  • To allow email and phone to initiate recovery, and require extra verification using any enrolled authenticator used for MFA/SSO:

    • Enable these authenticators and set them as Required for authenticator enrollment:

      • Okta Verify

      • WebAuthn

      • Google Authenticator

In the Admin Console, go to SecurityAuthenticators:

  • Email is used for Recovery

  • Okta Verify is used for Authentication and Recovery

  • No other authenticator is enabled or required to be enrolled for authentication

In the Admin Console, go to SecurityAuthenticators, and click Actions Edit in the Password row. Click the pencil icon for the rule that you want to examine:

  • The Email and Okta Verify options are enabled for Recovery in the Users can initiate recovery with section

  • The Any enrolled authenticator used for MFA/SSO option is selected in the Additional verification is section

When users attempt account recovery, they see both the Email and Okta Verify options to initiate the recovery. If the user selects Okta Verify, they can't complete the secondary verification because email is configured for recovery only, not for authentication.

  • In the Recovery authenticators section of the Add Rule or Edit Rule dialog, only enable email to be allowed to initiate recovery.

  • To allow email and Okta Verify to initiate recovery, and require extra verification using any enrolled authenticator used for MFA/SSO:

    • Enable these authenticators and set them as Required for authenticator enrollment:

      • Phone

      • WebAuthn

      • Google Authenticator

In the Admin Console, go to SecurityAuthenticators, select Actions and Edit for the email and phone authenticators to view the Used for setting:

  • Email is set to Recovery

  • Phone is set to Authentication and Recovery, but isn't set as Required for enrollment

  • Okta Verify is set to Authentication and Recovery, but isn't set as Required for enrollment

  • No other authenticator is enabled or required to be enrolled for authentication

In the Admin Console, go to SecurityAuthenticators, and click ActionsEdit in the Password row. Click the pencil icon for the rule that you want to examine:

  • The Okta Verify and/or Phone (SMS / Voice call) options are selected in the Users can initiate recovery with section

Users can't initiate the recovery process for this configuration because the authenticator enrollment policy doesn't require them to enroll in Okta Verify or phone.

To use phone, Okta Verify, or both to initiate a recovery, ensure that these authenticators are set to Required in the authenticator enrollment policy.

In the Admin Console, go to SecurityAuthenticators:

  • Phone is used for Recovery

  • Okta Verify is used for Authentication and Recovery

  • No other authenticator is enabled or required to be enrolled for authentication

In the Admin Console, go to SecurityAuthenticators, and click Actions Edit in the Password row. Click the pencil icon for the rule that you want to examine:

  • The Phone and Okta Verify options are enabled for Recovery in the Users can initiate recovery with section
  • The Any enrolled authenticator used for MFA/SSO option is selected in the Additional verification is section

When users attempt account recovery, they see both the Phone and Okta Verify options to initiate the recovery. If the user selects Okta Verify, they can't complete the secondary verification because phone is configured for recovery only, not for authentication.

  • In the Recovery authenticators section of the Add Rule or Edit Rule dialog, only enable phone to be allowed to initiate recovery.

  • To allow phone and Okta Verify to initiate recovery, and require extra verification using any enrolled authenticator used for MFA/SSO:

    • Enable these authenticators and set them as Required for authenticator enrollment:

      • Email

      • WebAuthn

      • Google Authenticator

In the Admin Console, go to SecurityAuthenticators, select ActionsEdit for the Email and Phone authenticators to view the Used for setting:

  • Email is set to Recovery
  • Phone is set to Recovery
  • Okta Verify is set to Authentication and Recovery
  • No other authenticator is enabled or required to be enrolled for authentication

In the Admin Console, go to SecurityAuthenticators, and click ActionsEdit in the Password row. Click the pencil icon for the rule that you want to examine:

  • The Okta Verify, Email, and Phone (SMS/Voicecall) options are selected in the Users can initiate recovery with section
  • The Any enrolled authenticator used for MFA/SSO option is selected in the Additional verification is section

When users attempt account recovery, they see the Okta Verify, Email, and Phone options to initiate the recovery. If the user selects Okta Verify, they can't complete the secondary verification because email and phone are configured for recovery only, not for authentication.
  • In the Recovery authenticators section of the Add Rule or Edit Rule dialog, only enable email and phone to be allowed to initiate recovery.

  • To allow phone, email, and Okta Verify to initiate recovery, and require extra verification using any enrolled authenticator used for MFA/SSO:

    • Enable these authenticators and set them as Required for authenticator enrollment:

      • WebAuthn

      • Google Authenticator

  • You can disable email and phone for password reset or account unlock.
  • You can enable Security Question as an additional verification step.
  • When you select the unlock option for LDAP-sourced Okta user accounts, the user account is unlocked in Okta, but it remains locked in the on-premises LDAP instance.
  • Set at least two non-email authenticators to Required.
  • Don't use the authenticator you select for everyday authentication for recovery.
  • In self-service password reset scenarios, when you select Okta Verify with push as the only authenticator, and you've activated User Enumeration Prevention for recovery, users still receive number matching challenges even if you've turned that setting off.

Related topics

Configure the password authenticator

Configure the Okta Verify authenticator

Configure the email authenticator

Configure the phone authenticator