Unenrolled Authenticators Displayed in Account Lockout Recovery Options

Oct 17, 2025

Multi-Factor Authentication

Okta Identity Engine

Overview

This article explains why end-users may see password recovery options that do not appear to be enabled in their assigned password policy.

For example:

Select only Email as a recovery option.

Recovery authentication

Trigger the self-service password reset flow.
The user is offered the possibility to use other factors besides email.

Account recovery options

Applies To

Okta Identity Engine (OIE)
Account Recovery
"Users can initiate recovery with" Password Policy

Cause

This issue occurs when the User enumeration prevention feature is enabled with the Recovery option selected. This security feature changes the account recovery experience to prevent attackers from discovering which authenticators a user has enrolled.

Recovery Option Enabled

Solution

To change this behavior, disable the Recovery option within the User enumeration prevention settings.

In the Admin Console, go to Security > General.
In the User enumeration prevention section, select Edit.
Clear the Recovery checkbox.

Recovery option disabled

Select Save.

After completing these steps, the account recovery page will only display authenticators that the user is enrolled in.

Recovery Authenticators

Self-service account recovery

Related References

Your Privacy

Your Privacy

Strictly Necessary Cookies

Strictly Necessary Cookies

Functional Cookies

Functional Cookies

Performance Cookies

Performance Cookies

Share or Sell of Personal Data

Share or Sell of Personal Data

Advertising Cookies

Your Privacy

Your Privacy

Strictly Necessary Cookies

Strictly Necessary Cookies

Functional Cookies

Functional Cookies

Performance Cookies

Performance Cookies

Share or Sell of Personal Data

Share or Sell of Personal Data

Advertising Cookies