Skip auto-enrolling email authenticator

Early Access release. See Enable self-service features.

This feature allows you to upgrade your org to Identity Engine without having to auto-enroll the email as an authenticator for your end users.

Enable this feature before you upgrade your org if any of the following applies to you:

  • In your Classic Engine org, you have a factor enrollment policy where email is set as an optional factor.
  • Your Classic Engine org doesn’t use MFA.
  • You want to use email as an optional authenticator in your Identity Engine org after migration.

When this feature is enabled, you don’t have to set the email factor to Required or Disabled when upgrading your org.

End-user experience

The end user's experience with the first sign-in to Okta depends on how you have configured the authenticator enrollment policy and account recovery policy.

The end user’s email isn't automatically enrolled as an authenticator when they first sign in to the Identity Engine org after the upgrade. However, they may be prompted to enroll another authenticator for account recovery. In certain cases, they may have to enroll their email as an authenticator.

Self-service account recovery in Identity Engine requires that the user enrolls at least one authenticator specified for the recovery purpose. Users use this recovery authenticator to reset their password or unlock their account. In Classic Engine, users can use email for account recovery even if they haven’t enrolled it for authentication. However, in Identity Engine, the email must be enrolled as an authenticator to use it for account recovery.

Therefore, if the user hasn’t enrolled any required authenticator for account recovery, they’re prompted to do so when they first sign in to Okta after you upgraded the org to Identity Engine. They can choose from the authenticators you’ve made available for self-service account recovery.

Related topic

Make email an optional authenticator