Security Question and Email Recovery activity report

Loading

Skip to Navigation Skip to Main Content

Search

Search

Select Language

0D5KZ00001PO0sX0ATOkta Classic EngineInsights and ReportingAnswered2025-09-30T15:35:20.000Z2025-09-25T18:47:50.000Z2025-09-30T15:35:20.000Z

JustinM.07111 (Customer) asked a question.

September 25, 2025 at 6:47 PM

Security Question and Email Recovery activity report

We have SQ and ER as a factor for user recovery. We would like to remove these, but I'm having a hard time nailing down the exact report to show me how often these are used for account recovery (unlock and password). Using various keywords I can get incredibly different results. Can anyone help me write a query in the system logs that will show me this, accurately? I only want to know the ones done by the user themselves, not the auto-unlock by the system, or failures - just the times attempted by the users.

Insights and Reporting

Top Rated Answers

User17157611498146715886 (Customer Support Online Community and Social Care)
9 months ago
Hello @JustinM.07111 (Customer) , thank you for contacting Okta Community.

You can try the following to list all events in which the Security Question or Email authenticators were used to unlock an account or reset a password via self-service:
(debugContext.debugData.factorIntent eq "RECOVERY" or debugContext.debugData.factorIntent eq "UNLOCK_ACCOUNT") and (debugContext.debugData.factor eq "EMAIL_FACTOR" or debugContext.debugData.factor eq "SECURITY_QUESTION")
If you want to filter only for the successful events, add "and outcome.result eq "SUCCESS"" at the end of the above query, like so:
(debugContext.debugData.factorIntent eq "RECOVERY" or debugContext.debugData.factorIntent eq "UNLOCK_ACCOUNT") and (debugContext.debugData.factor eq "EMAIL_FACTOR" or debugContext.debugData.factor eq "SECURITY_QUESTION") and outcome.result eq "SUCCESS"
Regards.
--
Help others in the community by liking or hitting Select as Best if this response helped you.
Join the discussion for our Ask Me Anything on September 29, 2025: Device Assurance. Ask our expert questions.
Expand Post
Selected as Best

All Answers

User17157611498146715886 (Customer Support Online Community and Social Care)
9 months ago
Hello @JustinM.07111 (Customer) , thank you for contacting Okta Community.

You can try the following to list all events in which the Security Question or Email authenticators were used to unlock an account or reset a password via self-service:
(debugContext.debugData.factorIntent eq "RECOVERY" or debugContext.debugData.factorIntent eq "UNLOCK_ACCOUNT") and (debugContext.debugData.factor eq "EMAIL_FACTOR" or debugContext.debugData.factor eq "SECURITY_QUESTION")
If you want to filter only for the successful events, add "and outcome.result eq "SUCCESS"" at the end of the above query, like so:
(debugContext.debugData.factorIntent eq "RECOVERY" or debugContext.debugData.factorIntent eq "UNLOCK_ACCOUNT") and (debugContext.debugData.factor eq "EMAIL_FACTOR" or debugContext.debugData.factor eq "SECURITY_QUESTION") and outcome.result eq "SUCCESS"
Regards.
--
Help others in the community by liking or hitting Select as Best if this response helped you.
Join the discussion for our Ask Me Anything on September 29, 2025: Device Assurance. Ask our expert questions.
Expand Post
Selected as Best
BrandonB.06003 (Customer)
9 months ago
You can first check the MFA usage report which at least shows you who is enrolled then that query provided by Diana can help you narrow down the usage. but keep in mind that report only goes back 90 days or so have to use it with a grain of salt
Expand Post

This question is closed.

Recommended content

Forum

Can we have email as the only Authentication with security question for Recovery.

Forum

would like to create email activity based on security report

Forum

Report for Active and Deactivated accounts

Forum

Okta Security Advisory Email Alerts

Loading

Security Question and Email Recovery activity report