This article explains an issue that appears when new users, who have not yet configured a password for their Okta account, are unable to complete the Okta Verify enrollment process on iOS devices. When attempting to activate their account in Okta Verify for iOS, the following error message occurs:
Authenticator operation is not allowed
This error prevents the completion of the enrollment process.
- Okta Verify
- iOS
- New User Enrollment
- Okta Identity Engine (OIE)
New users attempting to enroll in Okta Verify on an iOS device without a previously established password encounter the Authenticator operation is not allowed error. This occurs because the Okta Verify activation flow on iOS (in this specific scenario, for new users) does not proceed successfully without an existing password factor.
To enable new users without a password to enroll in Okta Verify on an iOS device, apply one of the following workarounds:
- Set a Password Factor Before iOS Enrollment:
- The user (or an administrator on their behalf) must first set a password for the user's Okta account.
- Once the password factor is established, the user can proceed with Okta Verify enrollment on their iOS device.
- Enroll Using a Non-iOS Device First:
- The user initially enrolls their account in Okta Verify using a non-iOS device (such as Android or a desktop authenticator).
- After successful enrollment on the non-iOS device, the user can then add their Okta account to the Okta Verify application on their iOS device.
- Set Up Email Verification:
- Enrollment and authentication policies can be configured for a passwordless experience. See Set up passwordless sign-in experience for a deep dive into the topic of a passwordless experience.
- Users must verify their email by accessing their Okta account using the Email factor.
- Once a group for passwordless access is created and a passwordless policy is set up for the Okta Dashboard, users can enroll in Okta Verify by verifying their accounts using their verified email addresses.
