Security Question (MFA)

The Security Question factor prompts end users to enter a correct response to a question that they've selected from a list of possible questions.

The Security Question factor:

  • Supports authentication (MFA/SSO) and user password recovery when enabled for these scenarios. If disabled for MFA/SSO, it will not be included as part of Okta sign-on policy evaluation.
  • Okta recommends against using security questions in any authentication flow.

Add Security Question as a factor

  1. In the Admin Console, go to Security > Multifactor.
  2. On the Factor Types tab, click Security Question.
  3. Click Inactive, then select Activate.
  4. Configure an MFA enrollment policy. See Configure an MFA enrollment policy for instructions.

Disable the Security Question factor

Before you can disable the Security Question factor, you must remove it from any MFA enrollment policy or self-service password reset policy in which it appears.

  1. In the Admin Console, go to Security > Multifactor.
  2. Select the Factor Enrollment tab, and select a policy in which the Security Question factor appears.
  3. Click Edit.
  4. For the Security Question factor, select Disabled from the dropdown.
  5. Click Update policy.

End-user experience

The first time users sign in to their orgs after you configure this factor, they see the Extra verification is required for your account page and must perform the following steps:

  1. In the Okta End-User Dashboard, click your name and select Settings.
  2. In the Extra Verification section, click Set up beside Security Question. You might need to authenticate again.
  3. On the Set up multifactor authentication screen, click Setup.
  4. Select a question from the dropdown, and enter the answer in the Answer field.
  5. Click Save.

The next time the user signs in, they might be prompted to answer their security question, depending on the requirements their admin has configured in sign-on policies.


All the following guidelines are required for security questions:

  • The answer to a security question must be at least four characters long; however, a longer length can be specified for recovery flows in a Group Password Policy.
  • The answer to a security question can't be the user's password or user name.
  • The answer to the security question can't be included in the question.

Related topics

Configure an app sign-on policy

Configure an MFA enrollment policy

Configure a password policy

Configure an Okta sign-on policy