Administrators may observe that an account is prompted to set up a Security Question during the initial account setup process, even when the Security Question authenticator is disabled in the Authenticator Enrollment Policy. This article addresses this behavior and provides the steps to resolve it.

• Okta Identity Engine (OIE)
• Authenticators
• Password Policies

Password policies can create a requirement for a user to enroll in the Security Question authenticator for password recovery purposes. If the self-service recovery options for Password reset or Unlock account are enabled and the Additional verification is setting is set to Only Security Question, accounts must enroll in the Security Question authenticator, regardless of the settings in the Authenticator Enrollment Policy.

1. In the Admin Console, go to Security > Authenticators.

2. In the Password row, select Actions > Edit.

3. Select the policy that applies to the affected accounts.

4. Scroll to the Rules section and locate the active rule.

5. Select the Edit (pencil) icon to modify the rule.

6. Locate the Account Recovery section.

7. If Password reset or Unlock account is selected, check the AND Additional verification is setting.

8. If Only Security Question is selected, change this setting to a different option to remove the mandatory Security Question enrollment.

9. Select Update Rule.