Self-service account recovery

Self-service account recovery allows active end users to reset their Okta passwords or unlock their accounts without contacting admin support.

You can configure self-service account recovery through a rule in your password policy.

Before you begin

Enable all the authenticators that you want to use for account recovery before you begin this procedure. In addition, enable as many additional authenticators as possible that your users can use for non-recovery scenarios. These additional authenticators should not be the same ones that you use for recovery scenarios.

Configure self-service account recovery

  1. In the Admin Console, go to Security > Authenticators.
  2. In the Password row, click Actions > Edit.
  3. In an existing password policy, click Add Rule or edit an existing rule.
  4. Configure these options as needed:
    • IF User’s IP is – Specify whether Anywhere, In zone, or Not in zone invokes the rule.
    • THEN User can perform self-service:
      • Password change (from account settings) - Users can change their password once they’ve authenticated with their password and another factor (if enrolled).
      • Password reset - Users can reset a forgotten password by verifying with any authenticator that is configured in recovery settings.
      • Unlock account - Users can unlock their account by verifying with any authenticator that is configured in recovery settings.
    • AND Users can initiate recovery with:
      • Okta Verify (Push notification only)
      • Phone (SMS / Voice Call)
      • Email
    • AND Additional verification is:
      • Not required – Users aren’t required to authenticate with a second factor.
      • Any enrolled authenticator used for MFA/SSO – Users are required to authenticate with an MFA authenticator (Okta Verify, Email, Phone, or Security Key) as a second factor.
      • Only Security Question – Users are required to answer a Security Question as a second factor.

    You can't use the authenticators that you select for initiating recovery for providing additional verification. Verify that the authenticators you select for the AND Additional verification is option are different from those you select for the AND Users can initiate recovery with option.

    Okta also recommends that you require users to enroll in as many authenticators as possible in addition to those you select for initiating recovery. If you only allow users to enroll in the authenticators you select for initiating recovery, then they won't have any authenticators to use for authenticating themselves during non-recovery situations, such as signing in. Requiring users to enroll in as many authenticators as possible ensures that they will always have authenticators available for both recovery and non-recovery situations. Configure these authenticators as Required in your authenticator enrollment policies so that users are required to enroll in all of the non-recovery authenticators that you activate for them.

  5. Create or update the password policy rule to save your changes.

Recommended configurations

Some configurations can cause users to be unable to authenticate when initiating account recovery. The authenticators that you select for initiating recovery can't be used for providing additional verification. See the note in the Configure self-service account recovery section for details. The following table provides examples of configurations to avoid, explanations, and recommendations on what to do instead.

Configuration to avoid

Reason

Use this configuration instead

In the Admin Console, go to Security > Authenticators, select Actions and Edit for the Email and Phone authenticators to view the Used for setting:

  • Email is set to Recovery

  • Phone is set to Authentication and recovery

  • No other authenticator is enabled or required to be enrolled for authentication

In the Admin Console, go to Security > Authenticators, and click Actions > Edit in the Password row. Click the pencil icon for the rule that you want to examine:

  • The Email and Phone (SMS / Voice call) options are selected in the Users can initiate recovery with section

  • The Any enrolled authenticator used for MFA/SSO option is selected in the Additional verification is section

When users attempt account recovery, they see the Email and Phone options to initiate the recovery. If the user selects Phone, they can't complete the secondary verification because Email is configured for Recovery, not for Authentication.

  • In the Recovery authenticators section of the Add Rule or Edit Rule dialog, only enable Email to be allowed to initiate recovery.

  • To allow Email and Phone to initiate recovery, and require extra verification using any enrolled authenticator used for MFA/SSO:

    • Enable these authenticators and set them as Required for authenticator enrollment:

      • Okta Verify

      • WebAuthn

      • Google Authenticator

In the Admin Console, go to Security > Authenticators:

  • Email is used for Recovery

  • Okta Verify is used for Authentication and Recovery

  • No other authenticator is enabled or required to be enrolled for authentication

In the Admin Console, go to Security > Authenticators, and click Actions > Edit in the Password row. Click the pencil icon for the rule that you want to examine:

  • The Email and Okta Verify options are enabled for Recovery in the Users can initiate recovery with section

  • The Any enrolled authenticator used for MFA/SSO option is selected in the Additional verification is section

When users attempt account recovery, they see both the Email and Okta Verify options to initiate the recovery. If the user selects Okta Verify, they can't complete the secondary verification because Email is configured for Recovery, not for Authentication.

  • In the Recovery authenticators section of the Add Rule or Edit Rule dialog, only enable Email to be allowed to initiate recovery.

  • To allow Email and Okta Verify to initiate recovery, and require extra verification using any enrolled authenticator used for MFA/SSO:

    • Enable these authenticators and set them as Required for authenticator enrollment:

      • Phone

      • WebAuthn

      • Google Authenticator

In the Admin Console, go to Security > Authenticators, select Actions and Edit for the Email and Phone authenticators to view the Used for setting:

  • Email is set to Recovery

  • Phone is set to Authentication and Recovery, but isn't set as Required for enrollment

  • Okta Verify is set to Authentication and Recovery, but isn't set as Required for enrollment

  • No other authenticator is enabled or required to be enrolled for authentication

In the Admin Console, go to Security > Authenticators, and click Actions > Edit in the Password row. Click the pencil icon for the rule that you want to examine:

  • The Okta Verify and/or Phone (SMS / Voice call) options are selected in the Users can initiate recovery with section

Users can't initiate the recovery process for this configuration. They aren't asked to enroll in Okta Verify or Phone because they aren't set to Required in the enrollment policy.

To use Phone, Okta Verify or both to initiate a recovery, ensure that these authenticators are set to Required as part of the enrollment policy.

In the Admin Console, go to Security > Authenticators:

  • Phone is used for Recovery

  • Okta Verify is used for Authentication and Recovery

  • No other authenticator is enabled or required to be enrolled for authentication

In the Admin Console, go to Security > Authenticators, and click Actions > Edit in the Password row. Click the pencil icon for the rule that you want to examine:

  • The Phone and Okta Verify options are enabled for Recovery in the Users can initiate recovery with section
  • The Any enrolled authenticator used for MFA/SSO option is selected in the Additional verification is section

When users attempt account recovery, they see both the Phone and Okta Verify options to initiate the recovery. If the user selects Okta Verify, they can't complete the secondary verification because Phone is configured for Recovery, not for Authentication.

  • In the Recovery authenticators section of the Add Rule or Edit Rule dialog, only enable Phone to be allowed to initiate recovery.

  • To allow Phone and Okta Verify to initiate recovery, and require extra verification using any enrolled authenticator used for MFA/SSO:

    • Enable these authenticators and set them as Required for authenticator enrollment:

      • Email

      • WebAuthn

      • Google Authenticator

In the Admin Console, go to Security > Authenticators, select Actions > Edit for the Email and Phone authenticators to view the Used for setting:

  • Email is set to Recovery
  • Phone is set to Recovery
  • Okta Verify is set to Authentication and Recovery
  • No other authenticator is enabled or required to be enrolled for authentication

In the Admin Console, go to Security > Authenticators, and click Actions > Edit in the Password row. Click the pencil icon for the rule that you want to examine:

  • The Okta Verify, Email, and Phone (SMS/Voicecall) options are selected in the Users can initiate recovery with section
  • The Any enrolled authenticator used for MFA/SSO option is selected in the Additional verification is section

When users attempt account recovery, they see the Okta Verify, Email, and Phone options to initiate the recovery. If the user selects Okta Verify, they can't complete the secondary verification because Email and Phone are configured for Recovery, not for Authentication.
  • In the Recovery authenticators section of the Add Rule or Edit Rule dialog, only enable Email and Phone to be allowed to initiate recovery.

  • To allow Phone, Email, and Okta Verify to initiate recovery, and require extra verification using any enrolled authenticator used for MFA/SSO:

    • Enable these authenticators and set them as Required for authenticator enrollment:

      • WebAuthn

      • Google Authenticator

  • Email and Phone are MFA authenticators that you can turn off for password reset or account unlock.
  • Security Question can also be enabled as an additional verification step. See About MFA authenticators.
  • When you select the unlock option for LDAP-sourced Okta user accounts, the user account is unlocked in Okta, but it remains locked in the on-premises LDAP instance.
  • Don't set all authenticators on the Security > Authenticators page, Enrollment tab to Optional. Set at least two non-Email authenticators to Required.
  • Don't use the authenticator you select for everyday authentication for recovery.
  • To configure additional verification, use the Any enrolled authenticator used for MFA/SSO option: Go to Security > Authenticators > Setup, then click Actions > Edit for Password. Select the Any enrolled authenticator used for MFA/SSO option in a password policy rule.

Related topics

Configure the Password authenticator

Configure the Okta Verify authenticator

Configure the Email authenticator

Phone authenticator