Password reset when "Challenge Question" has not been set
Hi. We have a very lightweight low-security app, for which we've created a bunch of users using the Create-User-With-Password API detailed here: https://developer.okta.com/docs/api/resources/users.html#create-user-with-password
Notably, there is no recovery question/answer set, because we want to make the user-signup process as simple and quick as possible.
Now, when the above users try to reset their password, they receive the email successfully, but are then prompted to answer a non-existant "Forgotten Password Challenge", which they have no idea how to fill.
Is this expected? How can a user reset his password when he doesn't have any recovery question set up?
This is something that we've had requested a few times more recently and we are working on options to configue optionally the need for the security question to be answered. There was a little while ago a small beta test where a feature flag DISABLE_SECURITY_QUESTION_FOR_RECOVERY could be switched on. You might like to get in touch with support to see if this can be used.
Some customers might not like this as it does obviously lower the security posture, but for some use cases like yours it might be suitable.