Okta Verify Self-Enrollment Process on Okta Classic Engine
Last Updated:
Overview
In the Okta Classic Engine, Okta Verify binds to a single device per account, and actions such as device upgrades or factory resets break this binding. Users can self-enroll a new device by authenticating with a backup factor and removing the old enrollment in the Okta User Dashboard, or an administrator must manually reset the factor. When an end-user loses access to a registered Okta Verify instance, the authentication prompt requires a new enrollment to validate identity during Multi-Factor Authentication (MFA).
Applies To
- Okta Verify
- Okta Classic Engine
Cause
On the Okta Classic Engine, Okta Verify binds to a single device per account at any given time. Certain user actions break this cryptographic binding and require a complete re-enrollment. These actions include:
- Uninstalling and reinstalling the Okta Verify application.
- Upgrading to a new mobile phone.
- Transferring or restoring device data from a cloud backup.
- Running mobile optimization or cleaning applications that delete local application caches.
- Factory resetting the mobile device.
Solution
How is self-service availability identified?
Identify whether the user can perform self-service by checking the authentication prompt for a dropdown arrow to confirm whether backup MFA factors are configured.
- If the dropdown arrow is visible, the user has configured backup MFA factors. Proceed to the self-reset steps.
- If the dropdown arrow is missing, Okta Verify is the only registered factor. Proceed to the administrator intervention steps.
If the User Can Self-Reset Okta Verify
If alternative authentication methods are available, reset the device pairing by selecting a backup method, navigating to the Okta User Dashboard settings, removing the existing Okta Verify enrollment, and setting up a new device.
- Select the Dropdown Arrow on the login prompt and choose an alternative backup method, such as SMS, Voice Call, or Security Question, to complete the login.
- On the Okta User Dashboard, select the user name in the top-right corner and choose Account Settings.
- Select the Edit Profile button.
NOTE: The user must re-enter the primary password and pass an alternative MFA challenge to unlock these settings. - Scroll down to the Extra Verification section.
- Locate Okta Verify and select Remove.
- When prompted with the message "Are you sure you want to remove Okta Verify enrollment?", select Yes.
- After the page refreshes, locate the Okta Verify row, select the Set up button, and follow the on-screen instructions to scan the new QR code with the device.
If Administrator Intervention is Required
If the account policy does not provide alternative authentication paths, an Okta Administrator must manually reset the factor in the Okta Admin Console and instruct the user to re-enroll.
- From the Okta Admin Console, navigate to the user profile and manually clear or reset the Okta Verify enrollment.
- Instruct the user to log back in to automatically prompt a fresh Okta Verify enrollment wizard.
NOTE: After manually resetting a user's MFA, administrators must not log out of the administrator session until the user confirms a successful login and re-registration. If an issue occurs during re-enrollment, the account may lock, requiring an immediate administrator unlock action.
