<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base

Okta Account Management Policy Enrollment for Specific Authenticators

Last Updated:

Multi-Factor Authentication
Okta Identity Engine

Overview

An Okta Account Management Policy rule that requires specific authenticators during enrollment of new factors or Self-Service Password Reset (SSPR) results in a deny outcome if the user lacks the required authenticators. Creating a priority 1 rule with a custom expression allows users to set up the initial authenticator using a password. When the policy requires specific authenticators, or when a password is not an allowed authenticator, Okta denies the enrollment attempt because the user cannot satisfy the rule condition.

Applies To

  • Okta Account Management Policy
  • Okta Identity Engine (OIE)

Cause

When an Okta Account Management Policy rule requires specific authenticators, or when a password is not an allowed authenticator, the user cannot satisfy the rule condition without first enrolling the required authenticators. This configuration results in a deny outcome during the enrollment process.

 

System log

Solution

How is the issue with authenticator enrollment resolved?

 

To prevent Okta from denying users the ability to enroll in new authenticators when setting up the initial authenticator, create a new Okta Account Management Policy rule. This rule must have a priority of 1 and use a custom expression to apply only to the enrollment of a specific authenticator, allowing users to set up the first authenticator with a password.

 

Create the new Okta Account Management Policy rule using one of the following custom expressions:

 

accessRequest.operation == 'enroll' && accessRequest.authenticator.key == '<factorType>'

 

OR

 

accessRequest.operation == 'enroll' && ( accessRequest.authenticator.key == '<factorType>' || accessRequest.authenticator.key == '<factorType>' )

 

Replace <factorType> in the custom expression with one of the following supported values:

 

  • okta_verify
  • webauthn
  • smart_card_idp
  • yubikey_token
  • google_otp
  • security_question
  • okta_email
  • phone_number

 

Configure the custom expression to allow enrollment in the Okta Verify factor with a password by using the following example:

 

accessRequest.operation == 'enroll' && accessRequest.authenticator.key == 'okta_verify'

 

Below is the Okta Account Management Policy rule that allows enrollment in the Okta Verify factor with a password.

 

Rule

Related References 

Recommended content

Still looking for help?
Loading
Okta Support - Okta Account Management Policy Enrollment for Specific Authenticators