This article explains the expected behavior when attempting to save a Password Policy rule with Recovery authenticators configured to use an Authentication policy.

• Okta Identity Engine (OIE)
• Password Policy 
• Self-service password change (from account settings)

This occurs when Users can perform self-service is set to Password change (from account settings) only. In this scenario, the configuration defaults back to This rule (legacy). The Authentication policy control for Recovery authenticators requires at least one self-service recovery option, such as Password reset or Unlock account, to be enabled. When only Password change (from account settings) is selected, the dependency needed for the Authentication policy mapping is missing. This causes the system to default to the legacy rule.

• Enable an additional self-service option (such as Password reset) to allow the use of the Authentication policy.
• Alternatively, to only allow password changes from account settings, keep This rule (legacy) selected.