![]() If the user selects Okta Verify, they can't complete the secondary verification because Phone is configured for Recovery, not for Authentication. When users attempt account recovery, they see both the Phone and Okta Verify options to initiate the recovery. The Any enrolled authenticator used for MFA/SSO option is selected in the Additional verification is section.The Phone and Okta Verify options are enabled for Recovery in the Users can initiate recovery with section.To use Phone, Okta Verify or both to initiate a recovery, ensure that these authenticators are set to Required as part of the enrollment policy. They aren't asked to enroll in Okta Verify or Phone because they aren't set to Required in the enrollment policy. Users can't initiate the recovery process for this configuration. The Okta Verify and/or Phone (SMS / Voice call) options are selected in the Users can initiate recovery with section Okta Verify is set to Authentication and Recovery, but isn't set as Required for enrollment Phone is set to Authentication and Recovery, but isn't set as Required for enrollment To allow Email and Okta Verify to initiate recovery, and require extra verification using any enrolled authenticator used for MFA/SSO: If the user selects Okta Verify, they can't complete the secondary verification because Email is configured for Recovery, not for Authentication. When users attempt account recovery, they see both the Email and Okta Verify options to initiate the recovery. The Email and Okta Verify options are enabled for Recovery in the Users can initiate recovery with section Okta Verify is used for Authentication and Recovery In the Admin Console, go to Security > Authenticators: To allow Email and Phone to initiate recovery, and require extra verification using any enrolled authenticator used for MFA/SSO:Įnable these authenticators and set them as Required for authenticator enrollment: In the Recovery authenticators section of the Add Rule or Edit Rule dialog, only enable Email to be allowed to initiate recovery. If the user selects Phone, they can't complete the secondary verification because Email is configured for Recovery, not for Authentication. When users attempt account recovery, they see the Email and Phone options to initiate the recovery. The Any enrolled authenticator used for MFA/SSO option is selected in the Additional verification is section The Email and Phone (SMS / Voice call) options are selected in the Users can initiate recovery with section Click the pencil icon for the rule that you want to examine: In the Admin Console, go to Security > Authenticators, and click Actions > Edit in the Password row. No other authenticator is enabled or required to be enrolled for authentication Phone is set to Authentication and recovery ![]() In the Admin Console, go to Security > Authenticators, select Actions and Edit for the Email and Phone authenticators to view the Used for setting: The following table provides examples of configurations to avoid, explanations, and recommendations on what to do instead: Some configurations can cause users to be unable to authenticate when initiating account recovery. The authenticator that you select for the AND Additional verification is option must be different from the authenticator you select for the AND Users can initiate recovery with option. You can't use the same authenticator for both initiating recovery and providing additional verification. Only Security Question – Users are required to answer a Security Question as a second factor.Ĭreate or update the password policy rule to save your changes.Any enrolled authenticator used for MFA/SSO – Users are required to authenticate with an MFA authenticator ( Okta Verify, Email, Phone, or Security Key) as a second factor.Not required – Users aren’t required to authenticate with a second factor.Unlock account - Users can unlock their account by verifying with any authenticator that is configured in recovery settings.Password reset - Users can reset a forgotten password by verifying with any authenticator that is configured in recovery settings.Password change (from account settings) - Users can change their password once they’ve authenticated with their password and another factor (if enrolled).IF User’s IP is – Specify whether Anywhere, In zone, or Not in zone invokes the rule.In an existing password policy, click Add Rule or edit an existing rule. In the Password row, click Actions > Edit.In the Admin Console, go to Security > Authenticators. ![]() Before you beginĮnable the Password authenticator and any other authenticators that users can use for account recovery. You can configure self-service account recovery through a rule in your password policy. Self-service account recovery allows active end users to reset their Okta passwords or unlock their accounts without contacting admin support.
0 Comments
Leave a Reply. |