Add a rule for identity verification for account actions

Early Access release. See Enable self-service features.

Add this rule to require users to verify their identity with an identity verification (IDV) vendor when they need to perform account actions, like enrollment and recovery.

Prerequisites

If your org uses the third-generation Sign-In Widget, upgrade to version 7.20 or later for all brands.
Create an IDV vendor. See Add an identity verification vendor as an identity provider.

Add the rule

In the Admin Console, go to Security > Authentication Policies .
Select Okta account management.
Click Add Rule.
Enter a descriptive rule name, like Identity verification-based enrollment.
Set the following IF conditions.
- User' user type is: Any user type
- User's group membership includes: Any
- User is: Any
- Device platform is: Any platform
- User's IP is: Any
- Risk is: Any
- The following custom expression is true: accessRequest.operation == 'enroll'
Set the following THEN conditions.
- Access is: Allowed after successful, and then Identity verification
- Identity verification service: Any IDV option
Click Save.

Note:

Set this rule's priority above the catch-all but below the first phishing-resistant authenticator (if you added one). Be sure that the first phishing-resistant authenticator rule stays at priority 1.

User experience

Users verify their identity with an IDV instead of using an authenticator. The user experience is different with each IDV.