<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Okta Secondary Email Prompt During User Login via Delegated Authentication
Mar 23, 2026
Lifecycle Management
Okta Classic Engine
Directories
Okta Identity Engine
Overview

Okta prompts users for a secondary email address during login when Delegated Authentication is active, ensuring account recovery options remain available if the primary email is inaccessible. This behavior varies based on the Okta engine version and whether Self-Service Password Reset (SSPR) rules are enabled for Active Directory (AD) sourced passwords.

Users observe a prompt requesting a secondary email address upon logging in to the Okta Dashboard:

Prompt for secondary email during user login

Applies To
  • Secondary Email
  • Delegated Authentication
  • Okta Classic Engine
  • Okta Identity Engine (OIE)
Cause

Okta allows users authenticating via Delegated Authentication (DelAuth) to reset passwords using Self-Service Password Reset (SSPR) rules under the applicable password policy for Active Directory-sourced passwords. If a user forgets a password or needs a password reset, Okta assumes the primary email address may also be inaccessible. Consequently, the secondary email acts as a critical recovery mechanism for organizations using DelAuth.

Solution

How is the secondary email prompt managed?

The secondary email prompt behavior depends on the specific Okta engine and the status of SSPR rules.

Okta Identity Engine (OIE)

The following conditions and configuration options apply to OIE:

  • If DelAuth is enabled, the system prompts users to add a secondary email on the Welcome page during the first login, regardless of whether SSPR rules are active.

  • For users with Okta-sourced passwords, the Welcome page and subsequent logins do not suggest entering a secondary email.

If a secondary email is not required, the prompt can be deactivated through the Admin Console. The following steps outline the deactivation process:

  1. Navigate to Customizations > Other.

  2. Select Edit in the Optional User Account Fields section.

  3. Click the Secondary Email dropdown menu.

  4. Select Disabled.

  5. Click Save.

Okta Classic Engine

The following conditions trigger the prompt in the Okta Classic Engine:

  • If DelAuth is enabled and SSPR rules are active for the AD-sourced password policy, the system prompts users to add a secondary email on the Welcome page during the first login.

  • If DelAuth and SSPR are enabled after an account is already active, the system prompts the user for a secondary email during the next login.

  • For users with Okta-sourced passwords, the Welcome page and subsequent logins do not suggest entering a secondary email.

Recommended content

Still looking for help?
Loading
Okta Secondary Email Prompt During User Login via Delegated Authentication