In the Okta Identity Engine (OIE), the user’s primary email address is automatically enrolled as an authenticator for authentication and recovery in the following scenarios:

• The user verifies that they own the email (for example, during Self-Service Registration).
• The user is not required to prove ownership of the email (for example, when the admin creates the user account).

This article will provide steps on how to prevent the email factor from auto-enrolling

• Okta Identity Engine (OIE)
• Authenticators
• Email Factor

The user will be prompted to enroll in the email factor and not automatically enroll if the following two conditions are met:

1. The Enable optional email enrollment for Okta Identity Engine feature from the Admin Console > Settings > Features is enabled.

2. The enrollment policy is set so that the Email Factor is set as optional or disabled.

 
NOTE:

• If the email factor is set as required, it will auto-enroll even if the Enable optional email enrollment for Okta Identity Engine feature flag is enabled.
• If the Email is used in any Password and/or Account Recovery option, it must be removed, Okta will still automatically enroll the email as a Factor.

Related references

• Make email an optional authenticator