Make email an optional authenticator

Early Access release. See Enable self-service features.

This feature gives you and your end users more control over the email authenticator. You can choose whether you want to auto-enroll a user's email as an authenticator or reset their email authenticator from the Admin Console. End users can also manage the enrollment of the email authenticator from their End-User Dashboard.

How authentication works

Depending on how you've set up the authenticator enrollment policy, the email authenticator is either auto-enrolled or available as an option to your end users for enrollment. This table describes how the enrollment works:

Email setting

Enrollment behavior

Required User's primary email address is auto-enrolled.
Optional Users need to enroll their primary email address if they want to use it as an authenticator.
Disabled Users may be prompted to enroll their primary email address if it's necessary for account recovery but they can't use it for authentication.

How account recovery works

When configuring self-service account recovery, you need to specify which authenticators end users can use to reset their password or unlock their account. End users must enroll at least one of these authenticators. If email is the only authenticator you've specified for account recovery, then the end users must enroll their email as an authenticator.

Skip email auto-enrollment for new users

You can choose whether to enroll the email authenticator for a user when you create them in Okta.

  • If you want to auto-enroll the user's email as an authenticator: Activate the user using the activation link (Activate now or Activate later options).
  • If you don't want to enroll the user's email as an authenticator: Set their password using the I will set password option.

Reset the email authenticator for users

You can reset a user's email authenticator in DirectoryPeople.

Click the user and go to the user's profile page. On the page, go to More ActionsReset Authenticators.

End-user experience

End users can manage the enrollment of their email authenticator through the Okta End-User Dashboard. The enrolled authenticator gets auto-updated when they successfully change their primary email. They can also enroll another authenticator instead of the email for account recovery.

Enroll or remove the email authenticator

Users can enroll or remove their email authenticator in SettingsSecurity Methods.

However, if the user removes the email authenticator when the self-service account recovery or enrollment policy needs it, they may be prompted to enroll again when they sign in the next time or it may be auto-enrolled.

If the user has enrolled their email as an authenticator and successfully changed their primary email address, the new email address automatically replaces the old email as an authenticator.