<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Configure Self-Service Password Recovery in Okta
Mar 20, 2026
Okta Classic Engine
Okta Identity Engine
Administration
Multi-Factor Authentication
Overview

Okta supports Self-Service Password Recovery (SSPR) through configurable password recovery policies in both Okta Identity Engine (OIE) and Okta Classic Engine. Administrators configure these policies to allow users to reset passwords and unlock accounts without contacting support.

Applies To
  • Okta Identity Engine (OIE)
  • Okta Classic Engine
  • Self-Service Account Recovery
  • Password Policy
Solution

How is self-service password recovery configured in Okta?

The following sections describe how to configure SSPR, apply recommended settings, and manage password recovery policies across both Okta engines.

Configure Self-Service Account Recovery

Follow these steps to configure self-service account recovery in the Okta Admin Console:

  1. In the Okta Admin Console, navigate to Security > Authenticators.
  2. In the Password row, click Actions Edit.
  3. In an existing password policy, click Add Rule or edit an existing rule.
  4. The options available for configuration include:

  • IF User’s IP is – Specify whether AnywhereIn zone, or Not in zone will invoke the rule.

  • THEN User can perform self-service:

    • Password change (from account settings) - Users can change their password once they have authenticated with their password and another factor (if enrolled).
    • Password reset - Users can reset a forgotten password by verifying with any configured authenticator in recovery settings.
    • Unlock account - Users can unlock their account by verifying with any configured authenticator in recovery settings.

  • AND Users can initiate recovery with:

    • Okta Verify (Push notification only)
    • Phone (SMS / Voice Call)
    • Email

  • AND Additional verification is:

    • Not required – Users are not required to authenticate with a second factor.
    • Any enrolled authenticator used for MFA/SSO – Users are required to authenticate with an MFA authenticator (Okta Verify, Email, Phone, or Security Key) as a second factor.
    • Only Security Question – Users must answer a Security Question as a second factor.

  1. Create or update the password policy rule to save changes

It is important to note that the authenticator selected for the AND Additional verification is option must be different from the authenticator selected for the AND Users can initiate recovery with option.

Recommended Configurations

Some configurations can block users from authenticating during account recovery. The following table provides examples of configurations to avoid, explanations, and recommendations on what to do instead.

Configuration to avoid
ReasonUse this configuration instead
In the Okta Admin Console, go to Security > Authenticators, select Actions, and Edit for the Email and Phone authenticators to view the Used for setting:

- Email is set to Recovery.

- Phone is set to Authentication and recovery.

- No other authenticator is enabled or required to be enrolled for authentication.

In the Okta Admin Console, go to Security > Authenticators, and click Actions > Edit in the Password row. Click the pencil icon for the rule required to examine:

- The Email and Phone (SMS / Voice call) options are selected in the Users can initiate recovery with section.

- The Any enrolled authenticator used for MFA/SSO option is selected in the Additional verification is section.		When users attempt account recovery, they see the Email and Phone options to initiate the recovery. If the user selects Phone, they will not be able to complete the secondary verification because Email is configured for Recovery, not for Authentication.- In the Recovery authenticators section of the Add Rule or Edit Rule dialog, only enable Email to be allowed to initiate recovery.

- If needed, both Email and Phone to be allowed to initiate recovery, and also need extra verification using any enrolled authenticator used for MFA/SSO, ensure that other authenticators, such as Okta Verify, WebAuthn, Google Authenticator, or others, are enabled and set as Required to be enrolled for authentication.
In the Okta Admin Console, go to Security > Authenticators:

- Email is used for Recovery.

- Okta Verify is used for Authentication and Recovery.

- No other authenticator is enabled or required to be enrolled for authentication.

In the Okta Admin Console, go to Security > Authenticators, and click Actions > Edit in the Password row. Click the pencil icon for the rule required to examine:

- The Email and Okta Verify options are enabled for Recovery in the Users can initiate recovery with section.

- The Any enrolled authenticator used for MFA/SSO option is selected in the Additional verification is section.		When users attempt account recovery, they see both the Email and Okta Verify options to initiate the recovery. If the user selects Okta Verify, they will not be able to complete the secondary verification because Email is configured for Recovery, not for Authentication.- In the Recovery authenticators section of the Add Rule or Edit Rule dialog, only enable Email to be allowed to initiate recovery.

- If needed, both Email and Okta Verify are to be allowed to initiate recovery, and also require extra verification using any enrolled authenticator used for MFA/SSO, ensure that other authenticators, such as Phone, WebAuthn, Google Authenticator, or others, are enabled and set as Required to be enrolled for authentication.
In the Okta Admin Console, go to Security > Authenticators, select Actions and Edit for the Email and Phone authenticators to view the Used for setting:

- Email is set to Recovery.

- Phone is set to Authentication and Recovery, but is not set as Required for enrollment.

- Okta Verify is set to Authentication and Recovery, but is not set as Required for enrollment.

- No other authenticator is enabled or required to be enrolled for authentication.

In the Okta Admin Console, go to Security > Authenticators, and click Actions > Edit in the Password row. Click the pencil icon for the rule required to examine:

- The Okta Verify and/or Phone (SMS / Voice call) options are selected in the Users can initiate recovery with section.		Users will not be able to initiate the recovery process for this configuration; they will not be asked to enroll in Okta Verify or Phone because they are not set to Required in the enrollment policy.To use Phone, Okta Verify, or both to initiate a recovery, ensure that these authenticators are set to Required as part of the enrollment policy.
In the Okta Admin Console, go to Security > Authenticators:

- Phone is used for Recovery.

- Okta Verify is used for Authentication and Recovery.

- No other authenticator is enabled or required to be enrolled for authentication.

In the Admin Console, go to Security > Authenticators, and click Actions > Edit in the Password row. Click the pencil icon for the rule required to examine:

- The Phone and Okta Verify options are enabled for Recovery in the Users can initiate recovery with section.

- The Any enrolled authenticator used for MFA/SSO option is selected in the Additional verification is section.		When users attempt account recovery, they see both the Phone and Okta Verify options to initiate the recovery. If the user selects Okta Verify, they will not be able to complete the secondary verification because the Phone is configured for Recovery, not for Authentication.- In the Recovery authenticators section of the Add Rule or Edit Rule dialog, only enable Phone to be allowed to initiate recovery.

- If needed, both Email and Okta Verify must be allowed to initiate recovery, and also require extra verification using any enrolled authenticator used for MFA/SSO, ensure that other authenticators, such as Email, WebAuthn, Google Authenticator, or others, are enabled and set as required to be enrolled for authentication.
In the Okta Admin Console, go to Security > Authenticators, select Actions > Edit for the Email and Phone authenticators to view the Used for setting:

- Email is set to Recovery.

- Phone is set to Recovery.

Okta Verify is set to Authentication and Recovery.

- No other authenticator is enabled or required to be enrolled for authentication.

In the Admin Console, go to Security > Authenticators, and click Actions > Edit in the Password row. Click the pencil icon for the rule required to examine:

- The Okta VerifyEmail and Phone (SMS/Voicemail) options are selected in the Users can initiate recovery with section.

- The Any enrolled authenticator used for MFA/SSO option is selected in the Additional verification is section.		When users attempt account recovery, they see the Okta VerifyEmail, and Phone options to initiate the recovery. If the user selects Okta Verify, they will not be able to complete the secondary verification because Email and Phone are configured for Recovery, not for Authentication.- In the Recovery authenticators section of the Add Rule or Edit Rule dialog, only enable Email and Phone to be allowed to initiate recovery.

- If needed all three authenticators (Okta Verify, Email and Phone) to be allowed to initiate recovery, and also require extra verification using any enrolled authenticator used for MFA/SSO, ensure that other authenticators, such as WebAuthn, Google Authenticator, or others, are enabled and set as Required to be enrolled for authentication.

 

  • Email and Phone are MFA authenticators that can be turned off for password reset or account unlock.
  • Security Question can also be enabled as an additional verification step. See About MFA authenticators.
  • When the self-service unlock option is selected for LDAP-sourced Okta user accounts, the user account is unlocked in Okta, but remains locked in the on-premises LDAP instance.
  • Do not set all authenticators on the Security > Authenticators page, Enrollment tab to Optional. Set at least two non-Email authenticators to Required.
  • The authenticator selected for everyday authentication should not be used for Recovery.
  • To configure additional verification for the everyday authentication requirements of workforce users who must use Multi-Factor Authentication, use the Any enrolled authenticator used for MFA/SSO option: Go to Security > Authenticators > Setup tab, then click Actions > Edit for the Password item. Then select the Any enrolled authenticator used for MFA/SSO option on the Add Rule or Edit Rule dialog on the Password dialog.

This is what the Password Recovery Policy looks like in Okta Identity Engine (OIE)

OIE

This is what the Password Recovery Policy looks like in Okta Classic Engine

Okta Classic Engine

Create a Self-Service Password Reset Policy for the Organization

Follow these steps to create a self-service password reset policy for the organization, allowing all users to reset their passwords. A self-service password reset policy for the organization fails to create if the group password policy feature is enabled.

  1. In the Admin Console, go to Security > Authentication.
  2. Click Add New Password Policy.
  3. Complete these fields:
    • Policy name: Enter a name for the policy.
    • Policy description: Enter a description for the policy.
    • Add group: Enter a group name and then select the group to which the policy should apply.
  4. In the Authentication Providers area, select the source for user authentication in the Applies to list.
  5. Complete these fields in the Password Settings area:

  • Minimum length — Specify a minimum password length of 4 to 30 characters (the default is eight characters).

  • Complexity requirements — Select one or more of these password complexity options:

    • Lower case letter — Select this option to make the inclusion of a lower-case letter in the password mandatory.
    • Upper case letter — Select this option to make the inclusion of an upper case letter in the password mandatory.
    • Number (0-9) — Select this option to make the inclusion of a number from 0 to 9 in the password mandatory.
    • Symbol (for example, !@#$%^&*) — Select this option to make the inclusion of a symbol in the password mandatory.
    • Does not contain part of username — Select this option to exclude a part of the user name from the password requirements.
    • Does not contain first name — Select this option to exclude the first name of the user from the password requirements.
    • Does not contain last name — Select this option to exclude the last name of the user from the password requirements

  • Common password check — Optional. Select Restrict use of common passwords to check password strength, or if the password is in common use.

  • Password age — Select one or more of these password complexity options:

    • Enforce password history for last password — Select this option to define the number of passwords that must be different before a password can be reused. Between 1 to 24 passwords can be entered.
    • Minimum password age is — Enter the number of hours or days that a password can be used before it must be changed. The valid range is 1 to 999.
    • Password expires after days — Enter the number of days a password remains valid. The valid range is 1 to 999.
    • Prompt user days before password expires — Enter the number of days a user is notified before their password expires.

  • Lock out — Select one or more of these password lock out options:

    • Lock out user after unsuccessful attempts — Enter the number of attempts a user is allowed to successfully enter their password before their account is locked. The valid range is 1 to 100.
    • Account is automatically unlocked after minutes — Enter the number of minutes that a user must wait before their account is automatically unlocked. The minimum value is one minute.
    • Show lock out failures — Select this option to display the number of lock out failures.
    • Send lockout email to user — Select this option to notify users by email that their account is locked.

  1. Complete these fields in the Account Recovery area:

  • Self-service recovery options — Select one or more of these options:

    • SMS — Select this option to let users reset their password using SMS.
    • Voice Call — Select this option to let users reset their password using a voice call.
    • Email — Select this option to let users reset their password using an email.
    • Reset/Unlock recovery emails are valid for — Enter the number of minutes, hours, or days that a password reset email remains valid. The minimum value is 60 minutes and the maximum value is 300000 minutes. An error message is returned if the value entered is above or below these values.
  • Password recovery question complexity — Enter the minimum number of characters that security answers must contain.

  1. In the Add Rule dialog, complete these fields:

  • Rule Name — Enter a name for the rule.
  • Exclude Users — Optional. Enter the names of users to be excluded from the rule.
  • IF User's IP is — Select one of these options:
    • Anywhere — Select this option to apply the rule to all users regardless of whether or not their IP address is listed in the Public Gateway IPs list.
    • In zone — Select this option to apply the rule to all users in a zone. Select All Zones to apply the rule to users in all zones, or enter a specific IP address.
    • Not in zone — Select this option to apply the rule to users outside a zone. Select All Zones to apply the rule to users outside all zones, or enter a specific IP address.
  • THEN User can — Select one of these user actions for the rule:
    • change password — Select this option to let users change their password.
    • perform self-service password reset — Select this option to let users reset their password. change password must be selected to enable this option.
    • perform self-service account unlock — Optional. Select this option to let users unlock their accounts.
  1. Click Create Rule.

Add Self-Service Password Reset to an Existing Password Policy

Follow these steps to add a self-service password reset option to an existing policy, letting users reset their passwords.

  1. In the Okta Admin Console, go to Security > Authentication.
  2. Select an existing password policy and scroll down to the Add Rule area.
  3. Click Edit for an existing rule.
    • NOTE: If a rule does not exist or cannot be edited, click Add Rule, complete the mandatory and optional fields, select the options in the next step, and click Create Rule.
  4. In the THEN User can area, select the change password and perform self-service password reset check boxes.
  5. Click Update Rule.

Related References

Recommended content

Still looking for help?
Loading
Configure Self-Service Password Recovery in Okta