Which authenticator can be used to initiate self-service account recovery?

Self-service account recovery is a feature that allows users to regain access to their accounts without requiring direct assistance from IT support. In this context, using a phone as an authenticator is particularly advantageous because it typically provides a secure and reliable method for verifying user identity.

When a user opts for account recovery, they often receive a verification code via SMS or a call to their registered phone number. This process utilizes something the user has (their phone) to authenticate their identity, making it a strong method of confirmation. Additionally, using a phone number is a common practice that many users are familiar with, contributing to a smoother recovery experience.

Okta Verify (FastPass), while a sophisticated mechanism for authentication, primarily functions as a method for logging in rather than recovering accounts. FIDO2/WebAuthn is a passwordless standard that is geared more toward secure authentication rather than account recovery. Email can also serve as a method for account recovery, but it may not always be as secure as using a phone, given the potential for compromised email accounts.

Overall, the phone authenticator stands out due to its combination of widespread use, efficiency, and security in self-service account recovery scenarios.