JonathanO.11483 (Customer) asked a question.
Issue with Okta Verify Reset Not Clearing All Factors
When using API to check which MFA factors a user is enrolled in, if a user has only Okta Verify app on their phone, it shows two factors:
• token:software:totp
• signed_nonce
When performing an Okta Verify reset to remove the phone enrollment, only the software TOTP factor is reset. The signed_nonce factor remains, leaving the Okta Verify reset incomplete/unsuccessful.
Request:
• Why is the signed_nonce factor not being reset along with token:software:totp?
• How can we ensure a complete Okta Verify reset for users?
• Could this behavior be related to enabling Okta FastPass in our tenant?
Hi @JonathanO.11483 (Customer) , Thank you for reaching out to the Okta Community!
Yes, this behavior is directly related to enabling Okta FastPass in your tenant. Without FastPass, the signed_nonce factor would not exist, and a standard Okta Verify reset would successfully remove all factors. FastPass creates a separate authentication enrollment that is not cleared by the traditional Okta Verify reset API. This distinction is crucial for maintaining the security of phishing-resistant authentication methods. Please check the Factors API doc and "Unenroll a factor" section.
If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you.
Hope my answer helps!
--
Help others in the community by liking or hitting Select as Best if this response helped you.
Collect them all. Learn a new skill and earn a new Okta Learning badge.
Just released: More Okta Community badges just added