Okta Password Reset Fails With User Not Enrolled In Required Authenticators Error
Last Updated:
Overview
When end-users attempt a self-service password recovery, Okta generates an error if the authenticators that administrators select for initiating recovery overlap with the authenticators that administrators require for additional verification. Resolving this requires configuring the authenticator enrollment policies to mandate distinct authenticators for recovery and non-recovery scenarios.
During the password reset flow, the end-user encounters the following error:
FAILURE: User not enrolled in required authenticators for recovery.
Applies To
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Self-Service Account Recovery
- Password Policy
- Authenticator Enrollment
Cause
The error occurs when the password policy requires additional verification for account recovery, but the end-user lacks another valid, enrolled authenticator to complete the step. If an authenticator enrollment policy only allows specific authenticators, such as Email and Phone, and restricts them to recovery only, the end-user cannot use them for the additional verification step. The end-user must possess an enrolled authenticator available for standard authentication to fulfill the additional verification requirement.
Solution
How do administrators configure authenticator enrollment policies for account recovery?
Administrators must ensure that end-users enroll in enough authenticators to satisfy both the recovery initiation and the additional verification requirements. If an authenticator enrollment policy only allows Email and Phone, and restricts both to recovery only, end-users lack authenticators for standard authentication events and additional verification steps.
Update the authenticator enrollment policies to ensure end-users enroll in sufficient authenticators by verifying the following conditions.
- Require end-users to enroll in multiple authenticators to ensure availability for both initiating recovery and completing additional verification.
- Configure at least one non-recovery authenticator as Required in the authenticator enrollment policies.
- Verify that the authenticators available for additional verification do not restrict usage to recovery only.
