When forgotPassword authn API is triggered with username and factortype as email, Email is not received even though the API gives 200 OK response.
API response body obtained is :-
{
“status”: “RECOVERY_CHALLENGE”,
“factorResult”: “WAITING”,
“factorType”: “EMAIL”,
“recoveryType”: “PASSWORD”
}
System Log from Okta Dashboard says:- “Failure : Invalid User State”.
This issue is observed only after enabling MFA as required in the Recovery flow. Otherwise, it was working fine with the same piece of code.
@erik @andrea
Hello,
I have exactly the same problem. Did anyone get a suggestion?
Hi,
Unfortunately, I didn’t get a positive response after raising an Okta Support Case.
This was the response I received from Okta Support Team:-
Okta Support *Wed, Dec 6 16:36:24 GM
Hi Lincy,
After further investigation upon this use case, when EMAIL is used for recovery via API and as Additional verification is selected “Any enrolled authenticator used for MFA/SSO”, there won’t be an email sent to the user.
The email is not being sent and the “Invalid user state” error message generated would be expected, since according to our documentation “you can’t use the authenticators that you select for initiating recovery for providing additional verification. Verify that the authenticators you select for the AND Additional verification is option are different from those you select for the AND Users can initiate recovery with option.”
Through my tests, I could use Email or Phone/SMS as Self-Service Recovery option via API with Only Security Question or Not required for Additional enrolled authenticators set on the rule of the password policy, therefore I believe that the same outcome should be returned via SDK when having these conditions under the password policy.
Please let me know if the above is helping while using SDK or if you have further questions.
Thank you,