<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Enrollment Flow Behavior with Security Question Enabled and Disabled
Dec 1, 2025
Administration
Okta Classic Engine
Overview

This article describes the enrollment flow scenarios that occur based on whether the security question is enabled or disabled for self-service recovery.

Applies To
  • Enrollment Flow
  • Security Question
  • Password Policy
  • Self-Service Recovery
  • Okta Classic Engine
Solution

An Early Access feature (which can be enabled by contacting Okta Support) allows the security question to be disabled for self-service recovery. This feature results in several unique user registration flows.

The following three password policies demonstrate the different flows:

  • No Security Question Policy

    • Groups: No Security Question Group
    • Priority: 1
    • Security question for self-service recovery is disabled.

  • Security Question Policy

    • Groups: Security Question Group
    • Priority: 2
    • Security question for self-service recovery is enabled.

  • Default Policy

    • Groups: Everyone
    • Priority: 3
    • Security question for self-service recovery is enabled.

The results of different enrollment scenarios are described below:

  • Scenario 1
    1. An administrator creates a user.
    2. Before the user completes enrollment, the administrator places the user in the "No Security Question Group". This action can occur on the account creation screen or before the user signs in for the first time.
    3. The user signs in for the first time.

Result: The user is not prompted to set up a security question, and any self-service recovery attempt does not require one.

 

  • Scenario 2
    1. An administrator creates a user.
    2. Before the user completes enrollment, the administrator places the user in the "Security Question Group".
    3. The user signs in for the first time.

Result: The user is prompted to set up a security question, which is required for any self-service recovery attempt.

 

  • Scenario 3
    1. An administrator creates a user.
    2. The administrator places the user in the "Security Question Group" or any group that evaluates against the "Default Policy".
    3. The user signs in for the first time and is prompted to set up a security question.
    4. The administrator then moves the user to the "No Security Question Group".

Result: The user is prompted to set up the security question during initial enrollment, but any subsequent self-service recovery attempt does not require it.

 

NOTE: If the option to disable the security question is not available, open a support request to have the feature enabled. Reference this article in the request.

Recommended content

Still looking for help?
Loading
Enrollment Flow Behavior with Security Question Enabled and Disabled