Self-service account recovery

Self-service account recovery allows active end users to reset their Okta passwords or unlock their accounts without contacting admin support.

You can configure self-service account recovery through a rule in your password policy.

Before you begin

Before configuring a password policy rule, be sure that you’ve enabled the password authenticator and the authenticators that the end user can choose to initiate the reset or unlock the account.

Configure self-service account recovery

  1. In the Admin Console, go to Security > Authenticators.
  2. In the Password row, click Actions > Edit.
  3. In an existing password policy, click Add Rule or edit an existing rule.
  4. Configure these options as needed:
    • IF User’s IP is – Specify whether Anywhere, In zone, or Not in zone will invoke the rule.
    • THEN User can perform self-service
      • Password change (from account settings) - Users can change their password once they’ve authenticated with their password and another factor (if enrolled).
      • Password reset - Users can reset a forgotten password by verifying with any authenticator that is configured in recovery settings.
      • Unlock account - Users can unlock their account by verifying with any authenticator that is configured in recovery settings.
    • AND Users can initiate recovery with: 
      • Okta Verify (Push notification only)
      • Phone (SMS / Voice Call)
      • Email
    • AND Additional verification is:
      • Not required – Users aren’t required to authenticate with a second factor.
      • Any enrolled authenticator used for MFA/SSO – Users are required to authenticate with an MFA authenticator (Okta Verify, Email, Phone, or Security Key) as a second factor.
      • Only Security Question – Users are required to answer a Security Question as a second factor.
  5. Create or update the password policy rule to save your changes.

You can't use the same authenticator for both initiating recovery and providing additional verification. The authenticator that you select for the AND Additional verification is option must be different from the authenticator you select for the AND Users can initiate recovery with option.

Recommended configurations

There are some situations in which the way you configure your everyday Authentication authenticators and your Recovery authenticators can cause your users to be unable to authenticate when initiating account recovery.

The following table provides examples of configurations to avoid, explanations and recommendations on what to do instead:

Configuration to avoid

Reason

Use this configuration instead

In the Admin Console, go to Security > Authenticators, select Actions and Edit for the Email and Phone authenticators to view the Used for setting:

  • Email is set to Recovery

  • Phone is set to Authentication and recovery

  • No other authenticator is enabled or required to be enrolled for authentication

In the Admin Console, go to Security > Authenticators, and click Actions > Edit in the Password row. Click the pencil icon for the rule you want to examine:

  • The Email and Phone (SMS / Voice call) options are selected in the Users can initiate recovery with section

  • The Any enrolled authenticator used for MFA/SSO option is selected in the Additional verification is section

When users attempt account recovery, they see the Email and Phone options to initiate the recovery. If the user selects Phone, they won't be able to complete the secondary verification because Email is configured for Recovery, not for Authentication.

  • In the Recovery authenticators section of the Add Rule or Edit Rule dialog, only enable Email to be allowed to initiate recovery.

  • If you need both Email and Phone to be allowed to initiate recovery, and you also need extra verification using any enrolled authenticator used for MFA/SSO, ensure that other authenticators, such as Okta Verify, WebAuthn, Google Authenticator, or others, are enabled and set as Required to be enrolled for authentication.

In the Admin Console, go to Security > Authenticators:

  • Email is used for Recovery

  • Okta Verify is used for Authentication and Recovery

  • No other authenticator is enabled or required to be enrolled for authentication

In the Admin Console, go to Security > Authenticators, and click Actions > Edit in the Password row. Click the pencil icon for the rule you want to examine:

  • The Email and Okta Verify options are enabled for Recovery in the Users can initiate recovery with section

  • The Any enrolled authenticator used for MFA/SSO option is selected in the Additional verification is section

When users attempt account recovery, they see both the Email and Okta Verify options to initiate the recovery. If the user selects Okta Verify, they won't be able to complete the secondary verification because Email is configured for Recovery, not for Authentication.

  • In the Recovery authenticators section of the Add Rule or Edit Rule dialog, only enable Email to be allowed to initiate recovery.

  • If you need both Email and Okta Verify to be allowed to initiate recovery, and you also need extra verification using any enrolled authenticator used for MFA/SSO, ensure that other authenticators, such as Phone, WebAuthn, Google Authenticator, or others, are enabled and set as Required to be enrolled for authentication.

In the Admin Console, go to Security > Authenticators, select Actions and Edit for the Email and Phone authenticators to view the Used for setting:

  • Email is set to Recovery

  • Phone is set to Authentication and Recovery, but isn't set as Required for enrollment

  • Okta Verify is set to Authentication and Recovery, but isn't set as Required for enrollment

  • No other authenticator is enabled or required to be enrolled for authentication

In the Admin Console, go to Security > Authenticators, and click Actions > Edit in the Password row. Click the pencil icon for the rule you want to examine:

  • The Okta Verify and/or Phone (SMS / Voice call) options are selected in the Users can initiate recovery with section

Users won't be able to initiate the recovery process for this configuration; they won't be asked to enroll in Okta Verify or Phone because they're not set to Required in the enrollment policy.

To use Phone, Okta Verify or both to initiate a recovery, ensure that these authenticators are set to Required as part of the enrollment policy.

In the Admin Console, go to Security > Authenticators:

  • Phone is used for Recovery

  • Okta Verify is used for Authentication and Recovery

  • No other authenticator is enabled or required to be enrolled for authentication

In the Admin Console, go to Security > Authenticators, and click Actions > Edit in the Password row. Click the pencil icon for the rule you want to examine:

  • The Phone and Okta Verify options are enabled for Recovery in the Users can initiate recovery with section
  • The Any enrolled authenticator used for MFA/SSO option is selected in the Additional verification is section

When users attempt account recovery, they see both the Phone and Okta Verify options to initiate the recovery. If the user selects Okta Verify, they won't be able to complete the secondary verification because Phone is configured for Recovery, not for Authentication.

  • In the Recovery authenticators section of the Add Rule or Edit Rule dialog, only enable Phone to be allowed to initiate recovery.

  • If you need both Phone and Okta Verify to be allowed to initiate recovery, and you also need extra verification using any enrolled authenticator used for MFA/SSO, ensure that other authenticators, such as Email, WebAuthn, Google Authenticator, or others, are enabled and set as Required to be enrolled for authentication.

In the Admin Console, go to Security > Authenticators, select Actions > Edit for the Email and Phone authenticators to view the Used for setting:

  • Email is set to Recovery
  • Phone is set to Recovery
  • Okta Verify is set to Authentication and Recovery
  • No other authenticator is enabled or required to be enrolled for authentication

In the Admin Console, go to Security > Authenticators, and click Actions > Edit in the Password row. Click the pencil icon for the rule you want to examine:

  • The Okta Verify, Email and Phone (SMS/Voicecall) options are selected in the Users can initiate recovery with section
  • The Any enrolled authenticator used for MFA/SSO option is selected in the Additional verification is section

When users attempt account recovery, they see the Okta Verify, Email and Phone options to initiate the recovery. If the user selects Okta Verify, they won't be able to complete the secondary verification because Email and Phone are configured for Recovery, not for Authentication.

  • In the Recovery authenticators section of the Add Rule or Edit Rule dialog, only enable Email and Phone to be allowed to initiate recovery.
  • If you need all three authenticators (Okta Verify, Email and Phone) to be allowed to initiate recovery, and you also need extra verification using any enrolled authenticator used for MFA/SSO, ensure that other authenticators, such as WebAuthn, Google Authenticator, or others, are enabled and set as Required to be enrolled for authentication.

Notes:

  • Email and Phone are MFA authenticators that you can turn off for password reset or account unlock.

  • Security Question can also be enabled as an additional verification step. See About MFA authenticators.

  • When you select the self-service unlock option for LDAP-sourced Okta user accounts, the user account is unlocked in Okta, but it remains locked in the on-premises LDAP instance.

  • Don't set all authenticators on the Security > Authenticators page, Enrollment tab to Optional. Set at least two non-Email authenticators to Required.

  • Don't use the authenticator you select for everyday authentication for Recovery.

  • To configure additional verification for the everyday authentication requirements of workforce users who must use multifactor authentication, use the Any enrolled authenticator used for MFA/SSO option: Go to Security > Authenticators > Setup tab, then click Actions > Edit for the Password item. Then select the Any enrolled authenticator used for MFA/SSO option on the Add Rule or Edit Rule dialog on the Password dialog.

Related topics

Configure the Password authenticator

Configure the Okta Verify authenticator

Configure the Email authenticator

Configure the Phone authenticator