MFA requirements

This security task ensures that multifactor authentication (MFA) requirements aren't in conflict with Okta Behavior Detection. It also ensures that MFA policy rules aren't bypassed.

These settings appear on the Okta Sign-On Policy Add Rule or Edit Rule page. This combination creates a mismatch between the policy's condition and its action:



Behavior is New Device
Users will be prompted for MFA

You've selected one of these options:

  • When signing in with a new device cookie
  • After MFA lifetime expires for the device cookie

When users select this security task, recommendations to correct the configuration appear.

HealthInsight task recommendation

Set require factors to ensure that end users assigned to a given policy are enrolled in multifactor authentication.

Okta recommends

Select At every sign in for the Users will be prompted for MFA option on the Okta Sign-On Policy Add Rule or Edit Rule page. See Configure an Okta sign-on policy for instructions.

Security impact


End-user impact


Related topics

HealthInsight tasks and recommendations

Configure Okta ThreatInsight

About multifactor authentication

General Security

About Behavior Detection