Okta account management policy

The Okta account management policy defines authentication requirements when users enroll or unenroll authenticators, recover their passwords, and unlock their accounts. Its rule-based framework lets you enforce phishing resistance throughout the user journey, from onboarding to authentication and recovery.

Like other authentication policies, the Okta account management policy contains a catch-all rule. You set your own requirements by adding rules and prioritizing them over the catch-all. However, this policy applies to account management actions only. You can't assign it to apps.

Benefits

  • New users enroll in phishing-resistant authenticators on their first day.

  • By moving the control of self-service password recovery and account unlock to your Okta account management policy, you build phishing resistance into your most vulnerable user processes.

  • The authentication policy structure allows for more granular customization than the password policy, where self-service actions have traditionally been managed.

How it works

The policy's catch-all rule allows access with two factors, and it controls user profile edits. You can add more rules to control other account management actions, like authenticator enrollment or unenrollment, password recovery, and account unlock. It's important that you prioritize these account management rules over any rules that govern profile edits.

Keeping the catch-all (and any rules that control profile edits) in the lowest priority ensures that users are evaluated for authenticator-specific operations first. This also controls the authenticator actions that are available in the user's profile. For example, if a user doesn't meet the reset requirements for password, the Reset option isn't available to them in their security method settings.

Policy configuration

There are three primary use cases for the Okta account management policy. Each one adds a rule to the policy, so you can skip any that you don't need. However, if your org doesn't use phishing-resistant authenticators yet, start by enrolling your first phishing-resistant authenticator.

Enroll your first phishing-resistant authenticator

Enroll new authenticators using an existing phishing-resistant authenticator

Unlock accounts and recover passwords using phishing-resistant authenticators