Hi
While creating/updating user on okta instance I noticed that multiple users have the same email and login/username is the only unique attribute.
So when I tried to reset the password using forgot password option reset password link is sent to the email id for any accounts.
Now If two persons have the same email in okta, in this case for two different users reset password link is sent down to the same email ID and this leads to security threat as another person can open the email and reset the password.
I am trying to understand the reason behind the same email can share among multiple accounts?
We are assuming that one person, a developer or an admin for example, might need to create multiple Okta users for various reasons (e.g. testing stuff). We don’t want them to have to set up multiple email addresses for each Okta user. That’s why email is not a unique attribute right now.
The security threat you mention is only a problem if multiple people share access to a single email account, such as a distribution list. We recommend that only individual email addresses be used for Okta users for this reason.
In the future, we’re looking to enable you to use the email attribute to login, at which point we would require the email attribute to be unique as well.