MatthewH.10249 (State of Iowa) asked a question.
We have recently implemented Okta for a CIAM app that had tens of thousands of existing app users. These existing app users are required to create a new account in Okta but for some reason a larger than expected set of these users are not completing the registration process in a timely manner. This is causing their accounts to be put into a "Staged" status and they are stuck because they did not either complete the email verification or set a password. When they try to use the link in the verification email after 30 min it fails saying it expired and if they happen to still have the password setup screen still showing it reports that their session timed out. Either way they are stuck. It appears that when we try to resend the verification email for a "Staged" account the new email link will not work so we have to deactivate the account and then activate it which then causes their account goes to "pending user action" status and sends them a new verification email that works if they click the link within 1 day.
So getting to my questions: 1. Is there a way to allow users to self recover when users did not complete the registration process in a timely manner when their accounts are in a "Staged" status? 2. If there is no way to self recover, are there any downsides for us to automate the deactivate/reactivate process via Workflows on a scheduled basis (twice a day)? 3. Are there any settings/adjustments beyond increasing the "Email challenge lifetime" that others have used to limit the number of users who experience this issue?
Thanks for your time!
Hi @MatthewH.10249 (State of Iowa) , Thank you for reaching out to the Okta Community!
To answer your questions:
1- there is no way to allow self service recovery if the users haven't finished the registration as that's the part where they should configure the recovery options.
2- difficult to foresee everything, but one thing that comes to mind might be the rate limits depending on the size of the environment. Another one, although highly unlikely, would be that automation implies a certain lack of active monitoring, so for example if one of the account inboxes is compromised, it would give malicious actors an advantage. But I'm not sure how much this would differ from the regular activation flow if we're talking about already compromised accounts.
3- I'll leave this one open for responses from the Community's pool of experience.
If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you.
Hope my answer helps!
--------------------------------
Community members help others by clicking Upvote or Select as Best on responses. Try it today.
Thanks for your feedback! I'm going to hold off marking this as "best" in hopes that will encourage others to respond as I cannot imagine we are the only ones experiencing this and it is a big pain point. I need a way that the end user can get themselves out of this rather than being stuck and having a support person have to manually take action. I wonder if others might be deleting accounts that stay in "Staged" status for more than a day so that end users can attempt to register again.
@MatthewH.10249 (State of Iowa), it's unfortunate that Okta doesn't have a real solution for this, but I can suggest what I did when presented with a very similar scenario recently.
You can create a web form for your users to submit that ties into a workflow in something like HubSpot, Jira, or Power Automate. That workflow can then query Okta via API, using the user's submitted email address. In the case of status "STATGED", I then use the user delete call, {{url}}/api/v1/users/{{userId}}, twice. The first disables the user allowing the second to perform the delete.