Configure the Password authenticator

The Password authenticator enables you to require users to provide a password when signing in to Okta or one of your apps. You can also allow users to reset forgotten passwords.

Passwords are strings of characters that the user types into a password field on the Sign-In Widget. Admins can customize the required complexity of passwords, configure their age, expiry and history, and enable lockout conditions.

The Password authenticator is active by default. To use the Password authenticator, you configure a password policy and rules for it.

Configure a password policy

  1. In the Admin Console, go to SecurityAuthenticators.
  2. On the Setup tab, find the Password item in the list of authenticators and click Actions > Edit.
  3. Okta provides a default policy that you can customize, or you can create your own.
    • To customize the default policy, select Default Policy in the list and click Edit.
    • To create your own password policy, click Add New Password Policy and complete these fields:
      • Policy name: Type a descriptive name for this policy.
      • Policy description: Type a description of what this policy does, and to whom it applies.
      • Add group: Start typing the name of groups of users to whom the policy applies. As you type, Okta suggests groups that match your text. Select the desired group from the list. See About groups for information on creating groups of users.
      • Applies to: Select the authentication provider to which you want to apply this password policy.
  4. Configure the Password Settings options:
    • Minimum length: Require a minimum number of characters in passwords.
    • Complexity requirements: Require various character types and other attributes in passwords.
    • Password age: Select options that control how long users can use passwords, how often they can reuse them and when they're prompted to change their password.
    • Lock out: Configure these options:
      • The number of times an incorrect password may be entered before the account is locked.
      • How long the account remains locked.
      • Send users a lockout failure email when their account is locked.

      • To prevent Active Directory (AD) and Lightweight Directory Access Protocol (LDAP) lockouts, verify that the Lock out user after <#> unsuccessful attempts value is lower than the failed sign-in attempt limit configured in AD and LDAP. For example, if the maximum number of failed Windows sign-in attempts is set to 10 in AD and LDAP, Okta recommends setting your maximum Okta failed sign-in limit to 9. If a user exceeds the sign-in limit set in Okta, additional failed attempts aren't sent to AD or LDAP to prevent users from locking themselves out of their Windows account. In AD, locked-out Okta users can use self-service account unlock or seek help from an Okta admin. Only an admin can unlock a locked LDAP-sourced account.

  5. Click Create Policy if you created a new policy, or Update Policy if you edited the default or an existing policy.
  6. Create rules for this policy. See Add a password policy rule for instructions.

Add a password policy rule

Password policy rules allow you to configure:

  • Which self-service actions are available to users.
  • How users can initiate recovery.
  • Whether additional verification is required during recovery.
  • Which individual users are excluded from the password policy.
  • Restrictions on users attempting to access Okta from network zones that you specify.
  1. In the Admin Console, go to SecurityAuthenticators.
  2. On the Setup tab, find the Password item in the list of authenticators and click Actions > Edit.
  3. Select the password policy to which you want to add a rule and click Add Rule.
  4. Complete the following fields and options:
    • Rule Name: Type a name for the rule.
    • Exclude Users: Start typing the name of a user that you want to exclude from the rule. As you type, Okta suggests usernames that match your text. Select the desired user from the list. Repeat for each additional user you want to exclude.
    • IF User's IP is:
      • Anywhere: Apply the rule to all users regardless of whether their IP address is listed in the Public Gateway IP list.
      • In zone: Apply the rule to users in all or specific network zones.
        • All Zones: Select this checkbox to apply this rule to users in all zones.
        • Zones: Apply this rule to users in network zones that you specify. Start typing the name of a zone. As you type, Okta suggests zone names that match your text. Select the desired zone from the list. Repeat for each additional zone you want to add.
      • Not in zone: Apply the rule to exclude users in all zones or in specific zones.
        • All Zones: Select this checkbox to exclude users in all zones.
        • Zones: Apply this rule to exclude users in network zones that you specify. Start typing the name of a zone. As you type, Okta suggests zone names that match your text. Select the desired zone from the list. Repeat for each additional zone you want to add.

        • See Network zones for information on the Public Gateway IP list and other IP Zones features.

    • THEN User can perform self-service:
      • Password change (from account settings): Allow users to change their password and make the perform self-service password reset option available to them.
      • Password reset: Allow users who are unable to sign in or who forgot their password to perform self-service password resets and show the Forgot password? link on the Sign-In Widget.
      • Unlock account: Allow users to unlock their account by clicking the Unlock account? link on the Sign-In Widget.

        • When you select this option, LDAP-sourced Okta user accounts are unlocked in Okta but remain locked in the on-premises LDAP instance. If you don't allow self-service unlock, see Reset a user password for other options.

  5. Configure ways for users to initiate recovery and provide additional verification:
    • AND Users can initiate recovery with:
      • Okta Verify (Push notification only): Allow users to initiate recovery with the Push functionality of Okta Verify. See Configure the Okta Verify authenticator.
      • Phone (SMS / Voice call): Allow users to initiate recovery with either text messages or voice phone calls. See Phone authenticator.
      • Email: Allow users to initiate recovery with an email message that contains a one-time password or a magic link. See Configure the Email authenticator.
      • Google Authenticator: Allow users to initiate recovery with a one-time passcode from Google Authenticator. See Google Authenticator.
    • AND Additional verification is:
      • Not required: Select this option if you don't require additional verification from users during recovery.
      • Any enrolled authenticator used for MFA/SSO: Allow users to use any enrolled authenticator for recovery.
      • Only Security Question: Only allow users to use a Security Question for recovery. See Configure the Security Question authenticator.

        • Admins can determine whether an authentication challenge must be completed before the user enters their password. In an authentication policy rule, configure the AND User must authenticate with option. See Add an authentication policy rule.

  6. Click Create Rule.

End-user experience

End users create an Okta password according to the syntax, minimum length, age, and history requirements in your password policy. Unless an authentication policy rule for passwordless authentication is enabled, end users are always prompted for a password.

Current limitations

  • AD users aren't supported.
  • You can't delegate authentication to AD.
  • You can't send a warning message to users before their password expires.
  • You can't configure the expiration time for reset and unlock account recovery emails.

Related topics

Self-service account recovery

Configure the Email authenticator

Phone authenticator

Configure the FIDO2 (WebAuthn) authenticator

Configure the Security Question authenticator

Add an authentication policy rule