Enable password expiry
Early Access release. See Enable self-service features.
This feature adds the password expiry rule to your Okta account management policy. This one-factor rule lets users reset an expired password using their current password. It's in the top position by default so that your org can transition to the Okta account management policy without locking out users.
How it works
If your org uses the third-generation Sign-In Widget, upgrade to version 7.20 or later for all brands.
The password expiry rule is ready to use. Be sure that you've changed the access control settings in your password policy.
-
In the Admin Console, go to .
- In the Password row, click .
- In the Rules section, click the edit icon for the default rule.
- In the Recovery authenticators section, set the Access control condition to Authentication policy.
- Click Update rule.
- If you have other password policy rules, ensure that the following conditions are set:
- Users can perform self-service: Password change
- Access control: Authentication policy
Considerations
The password expiry rule requires no configuration, though it's fully editable. Before editing the password expiry rule, review these best practices:
-
Preserve this expression, even if you add to it: accessRequest.operation == 'recover' && accessRequest.metadata.type == 'expiry'. The metadata in the custom EL expression helps target it for password expiration only.
-
Keep the rule in the top priority position. If you lower this rule's priority, users may get locked out by more restrictive rules first.