Is there a way to disable the "Forgotten Password Question" and use something else instead?
We are wanting to streamline the process of users resetting passwords (and make it easier on Admins). Instead of having to remember what they set their security question as, we want them to just send themselves an SMS text and enter the key they get. I have the SMS part set up, but can I disable the question part? Or is this something that can't be disabled?
It's required for security reasons. If an SMS code was sent to the end user as a password reset option, then the SMS factor coudl be used to circumvent the password altogether, and effectively, SMS becomes the only factor of authentication. To avoid that, we require the security question as a second factor.
@eric Would it be possible to let the admin choose a second factor of their own and let Okta enforce dual factors? For example send a recovery link to your secondary email, then click that and force SMS?
I am having the same problem. I have a user that left the company and I can't disable this feature to reset his access to get her files, and I don't like the idea to "bypass" okta, going direct to domain controler to reset her password or grant admin access on her mailbox, for example.
Guys, After talking to the support team I understood the behavior. To reset the forgotten password security question, we have to disable/enable the user, so okta will send an welcome message to the users email. This email contains the link that allows we to redefine the password and update the security question. Now the question is how to get this email? The way I handle is by updating the user profile adding my internal helpdesk email as a secondary email which will also receive the email. Just make sure to do this before disabling/enabling the user.
So in summary, we have to use the activation link sent by an welcome message instead the reset link sent by the reset password message, which makes totally sense! Thanks!
i dont agree, the potential problems with deactivating a user can be enornous. If you have system that are provisioned and you deactivate the account, it can be deleted, deactivated, start offboarding processes and what not in the downstream apps. I truly think that deactivatng/reactivating is a bad method and should be avoided. if you do it, youll have to go through every app that is provisioned and turn of any items that could potentially kill the identity in that app. do your thing and than turn it back on, hopefully without issues of parallel ID's or errors regarding recreating users.. Unfortunately Okta doesnt really have another option, but this needs to be better addressed.