This article explains why users cannot reset their passwords when navigating directly to https://<subdomain>.okta.com/reset-password while using the Okta Account Management Policy. Although users can successfully reset passwords via the Forgot password? link on the Sign-In Widget (SIW), direct access to the reset URL triggers the following error message:
At this time your password can only be reset by an administrator. To send them a request, go to your Sign-in Help page. Then click the Request help link.
NOTE: The /reset-password URL is a legacy endpoint supported only for backward compatibility and is not intended for new implementations. Organizations using Okta Identity Engine (OIE) should migrate to a modern password recovery model, such as an embedded authentication flow or Software Development Kits (SDKs) that leverage the Identity Experience (IDX) pipeline.
- Okta Identity Engine (OIE)
- Okta Account Management Policy
- Password Reset
The /reset-password URL is a legacy endpoint. When an organization uses the Okta Account Management Policy, the legacy rules in the password policy must be specifically adjusted to support this endpoint, as they do not automatically align with modern policy configurations.
While organizations on OIE should migrate to a modern password recovery model, the following steps can serve as a mitigation to allow password resets via the direct legacy URL.
- In the Okta Admin Console, navigate to Security > Authenticators.
- Select the Setup tab.
- Ensure Email is added and configured for Recovery purposes.
- Edit the password policy rules and temporarily select This rule (legacy).
- Select the Email checkbox under the Users can initiate recovery with section.
- Reselect the standard Authentication Policy or rule view and select Save.
