Okta Device Access self-service password reset

December 2023: This is an Early Access Feature
March 2024: Updated information about the Registry Policy for self-service-password

Introduction

Self-service password reset allows your users to initiate a password reset if they’re locked out of the computer. Self-service password reset requires users to be online.
Users can’t initiate a password reset without an internet connection.

The self-service password reset function is designed for the following users:

• Users created in Okta
• Active Directory users with delegated authentication
• Azure Active Directory users, where Okta is the Identity Provider
• Okta-sourced users

Prerequisites

Before enabling the self-service password reset, ensure your Okta password policy
and your AD Agent password policies match.
A step-by-step guide how to implement Okta Device Access Desktop MFA here.
You need to have at least the Okta Verify Version 4.8.1 deployed.

Create/Adjust Desktop MFA Policies

After the Okta Verify application was deployed, we need to adjust/configure our
Desktop MFA policies to be able to us the self-service-password feature.
Navigate to the following path HKLM\Software\Policies\Okta\Okta Device Access in the registry on your device.

add the registry key parameter EnableSelfServicePasswordReset and set the value to 1.
As of Okta Verify version 4.10.4, the registry entry must be SelfServicePasswordResetEnabled

Configuration steps

In the Admin Console, open Settings –> Features.

Locate and enable the following Early access features:

• Direct Authentication
• IDP My Account API Password

Still in the Okta Admin Console open Security –> Authenticators

On the Password line, click Actions –> Edit

Scroll to the section with the Add rule button. Click the pencil icon to edit the rule of the policy you want to modify.

Optional: If you use delegated authority, ensure that the policy applies to Active Directory. Under the Authentication Providers heading, use the dropdown menu to select 
Active Directory.

Next to Users can perform self-service, enable the Password reset option.

In the Recovery authenticators section, ensure that Okta Verify is selected and click
Save or Update rule.

Self-service password reset overview

If the self-service password reset option has been enabled, users can initiate a password reset if they’ve forgotten their password. Users must be online to reset their password.

When a user forgets their password, they click the Forgot password? button on the Windows computer.

The user is asked to verify their identity with Okta Verify on the user’s mobile device.

After the user’s identity has been verified,

they’re prompted for a new password on their Windows computer.
This new password must meet the password requirements, and is entered twice to confirm the password selection.

When the password has been successfully changed, the user receives a message saying “Your password has been changed.”

Click OK to continue accessing the computer.

Demo (AD Users)

Now let’s have a look at this short Demo of the Self-Service-Password feature with
AD users with delegated authentication.