When different password policies for self-service password reset or unlock are created for different user groups, all users are able to see password reset/account unlock options despite having different policies applied to them.
| Okta Classic Engine | Okta Identity Engine |
- Self-service password reset
This is expected behavior.
The sign-in widget does not know which user is attempting to log in until credentials are entered and submitted. Due to this, Okta will display all password reset/unlock options that are configured in any password policy. For example, if SMS is enabled as an option for password reset in one password policy, the SMS option will still be displayed for users who do not have that policy applied to them because the Okta system does not know which user is logging in prior to the login taking place.
However, if a user attempts to use an option that is displayed but not applied to them, it will not work successfully. Okta utilizes security through obfuscation, which is why an attacker would not be able to see which users are allowed to reset a password or unlock an account. The user will still be sent a communication in which the message states that they need to contact their administrator for a password reset/unlock.
