Okta account management policy

Early Access release. See Enable self-service features.

The Okta account management policy defines authentication requirements when users enroll or unenroll authenticators, recover their passwords, and unlock their accounts. Its rule-based framework lets you enforce phishing resistance throughout the user journey, from onboarding to authentication and recovery.

How it works

Like other authentication policies, the Okta account management policy contains a catch-all rule, and you set your own requirements by adding rules and prioritizing them over the catch-all. However, this policy is different in a few key ways. The basic properties like name and description are read-only. You can't delete the policy (you have to disable the feature if you want to stop using it). And most importantly, you can't assign it to apps. This policy applies to account management actions only.

The catch-all rule allows access with two factors, and it controls the profile edits. You can add more rules to control other account management actions, like authenticator enrollment or unenrollment, password recovery, and account unlock. It's important that you prioritize these account management rules over any rules that govern profile edits.

Keeping the catch-all (and any rules that control profile edits) in the lowest priority ensures that users are evaluated for authenticator-specific operations first. This also controls the authenticator actions that are available in the user's profile. For example, if a user doesn't meet the reset requirements for password, the Reset option isn't available to them in their security method settings.

Benefits

  • New users enroll in phishing-resistant authenticators on their first day.

  • By moving the control of self-service password recovery and account unlock to your Okta account management policy, you build phishing resistance into your most vulnerable user processes.

  • The authentication policy structure allows for more granular customization than the password policy, where self-service actions have traditionally been managed.

Policy configuration

There are three primary use cases for the Okta account management policy. Each one adds a rule to the policy, so you can skip any that you don't need. However, if your org doesn't use phishing-resistant authenticators yet, start by enrolling your first phishing-resistant authenticator.

Enroll your first phishing-resistant authenticator

Enroll new authenticators using an existing phishing-resistant authenticator

Unlock accounts and recover passwords using phishing-resistant authenticators