<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Security Question Configuration
Oct 16, 2025
Multi-Factor Authentication
Okta Identity Engine
Overview

Account recovery is possible with a security question in Okta Identity Engine. This is different from the configurable recovery questions in Okta Classic.

Applies To
  • Okta Identity Engine (OIE)
  • Secret Question Configuration
Cause

In OIE, when the Security Question authenticator is enabled, only the pre-set questions that are already created can be used, and custom questions cannot be created globally. Only an end user can manually create their own secret question during enrollment.

Solution

Review all of the out-of-the-box secret questions. This can be done via enrollment or by running the following

Option 1: via API call: 

GET /api/v1/users/${userId}/factors/questions

 

Option 2: via GUI:

Security Question GUI

Users can create a custom security question within their account. However, admins cannot create a global custom question available to all users. There is also no way to turn off the ability for users to not create a custom security question for their account that other people will not know the answer to.

Recommended content

Still looking for help?
Loading
Security Question Configuration