This article explains why users are getting automatically enrolled into the Email Authenticator instead of seeing the option to enroll in the Email Authenticator when the feature Enable optional email enrollment for Okta Identity Engine is enabled.
- Optional Email Enrollment
- Early Access Feature
- Okta Identity Engine (OIE)
When configuring self-service account recovery, the Authenticators that end users can use to reset their password or unlock their account must be specified. End users must enroll in at least one of these authenticators:
- Okta Verify (Push Notification Only
- Phone (SMS/Voice call)
- Google Authenticator
If Email is the only authenticator specified for account recovery, the end users must enroll their email as an authenticator.
- Go to the Okta Admin Console and select Security > Authenticators to check this.
- In the Password row, click Actions > Edit, and scroll down to the Rules of the Authentication Policy. Under the THEN Users can perform self-service either Password reset or Unlock account is selected.
- Scroll to the section called Recovery authenticators.
- Make sure that under "AND Users can initiate recovery with," Email is either not selected or is not the only option selected. All users who will fall under this Password Policy must have access to at least one of the options selected here.
NOTE: All users created/provisioned before the feature was enabled were already auto-enrolled in the email factor, and it is necessary to reset their Email Authenticator to see the option of enrolling in Email.
Example of what the desired screen should look like:
