Okta account management policy

Early Access release. See Enable self-service features.

The Okta account management policy defines authentication requirements when users enroll in authenticators, recover their passwords, and unlock their accounts. Its rule-based framework lets you enforce phishing resistance throughout the user journey, from onboarding to authentication and recovery.

Like other authentication policies, the Okta account management policy contains a catch-all rule, and you set your own requirements by adding rules and prioritizing them over the catch-all. However, this policy is different in a few key ways. The basic properties like name and description are read-only. You can't delete the policy (you have to disable the feature if you want to stop using it). And most importantly, you can't assign it to apps. This policy applies to account management actions only.

Benefits

• New users enroll in phishing-resistant authenticators on their first day.

• By moving the control of self-service password recovery and account unlock to your Okta account management policy, you build phishing resistance into your most vulnerable user processes.

• The authentication policy structure allows for more granular customization than the password policy, where self-service actions have traditionally been managed.

Policy configuration

There are three primary use cases for the Okta account management policy. Each one adds a rule to the policy, so you can skip any that you don't need. However, if your org doesn't use phishing-resistant authenticators yet, start by enrolling your first phishing-resistant authenticator.

Enroll your first phishing-resistant authenticator

Enroll new authenticators using an existing phishing-resistant authenticator

Unlock accounts and recover passwords using phishing-resistant authenticators