A Super Administrator of an Okta Integrator Free Plan tenant can become locked out of their account after modifying the authentication policy.

Specifically, this occurs if the administrator navigates to Security > Authenticators, selects the Enrollment tab, edits the Default Policy, and sets all multi-factor authenticators (MFA), such as Okta Verify, to Disabled, leaving only Password as Required. Subsequently, any attempt by the Super Admin to log in will fail, effectively locking them out of the tenant.

• Okta Identity Engine (OIE)
• Integrator Free Plan
• ISV

The root cause of this lockout is removing all required multi-factor authentication methods for the Super Administrator. Like other Okta tenants, the Integrator Free Plan mandates using MFA for administrator accounts as a security measure. 

By intentionally disabling all authenticators except for the password, the sign-on policy is in a state that prevents successful authentication for the administrator, as the system still expects a second factor that is no longer permitted by the edited policy.

For free-tier accounts such as the Integrator Free Plan, Okta support does not provide a manual account recovery or reset service for administrator lockouts.

It is a mandatory security requirement for administrators on the Okta Integrator Free Plan to have MFA enabled. To prevent a lockout, it is strongly recommended that the enrollment policy always have a minimum of two authenticators enabled.

If a Super Administrator is already locked out of their Integrator Free Plan tenant due to the cause described above, the only recourse is to create a new Integrator Free Plan organization.

Follow these steps to resolve the issue:

1. Create a New Integrator Free Plan Tenant:
   1. Navigate to the Okta Developer sign-up page.
   2. It is recommended to sign up using the same email address as the locked-out account, but with a "+" alias. Most email providers (for example, Gmail) will deliver emails sent to your.email+alias@example.com to the your.email@example.com inbox. For instance, if the original email was admin@company.com,  signing up with admin+oin@company.com is an option.
2. Add a New Super Administrator to the New Tenant:
   1. After successfully creating and logging into the new Integrator Free Plan tenant, work can begin.
   2. To grant administrative access to other users (or the original, now-unaliased email address), navigate to Security > Administrators.
   3. Click on Add administrator.
   4. Follow the prompts to assign the Super Administrator role to the desired user.
3. Continue with OIN Submission:
   • With the new tenant and a Super Administrator account, the Okta Integration Network (OIN) submission can now proceed.