Set required factors for MFA enrollment policies

Enabling at least one required factor for your org ensures that end users assigned to a given policy are enrolled in MFA.

Once a required factor is set, you can also update your Okta sign-on policy to prompt users to enroll in the factor the next time they sign in.

HealthInsight task recommendation

Set require factors to ensure that end users assigned to a given policy are enrolled in multifactor authentication.

Okta recommends

Require at least one factor in every MFA enrollment policy.

Security impact

High

End-user impact

Low

If a factor is required as part of the MFA enrollment policy, end users must enroll in the factor before they can sign in to their org. Setup varies depending on the factor specified.

Set a required factor in an MFA enrollment policy

  1. In the Admin Console, go to SecurityMultifactor. The Factor Types page appears.
  2. Click Factor Enrollment to switch to factor enrollment policies and rules.
  3. Select a policy and click Edit to modify it.
  4. From the list of eligible factors, set at least one factor to Required.
  5. Click Update Policy.

Prompt an end user to enroll in a required factor

To prompt an end user to enroll in a required factor, you may do one of the following:

  • Set an Okta sign-on policy rule that prompts a user for factor enrollment.
  • Set a factor enrollment policy rule that allows a user to enroll in a factor when challenged for MFA.
  • Set a factor enrollment policy rule that prompts the user to enroll in a factor the first time they sign in to their org.

Create an Okta sign-on policy rule that prompts for factor enrollment

  1. From the Admin Console menu, click SecurityAuthentication. The Authentication policies page appears.
  2. Click Sign On to access Sign-On Policies.
  3. Select the policy and from the list of associated rules, click Edit to start modifying an existing policy rule. You can also create a rule.
  4. From the Edit Rule window, select Prompt for Factor.
  5. Click Update Rule.

Create a factor enrollment policy rule that allows users to enroll in a factor when challenged for MFA

  1. In the Admin Console, go to SecurityMultifactor.
  2. Click Factor Enrollment.
  3. Choose one of the active policy rules in the list and click Edit. The Edit Rule dialog appears.
  4. Under the condition THEN Enroll in multi-factor, select the first time a user is challenged for MFA.
  5. Click Update Rule.

Create a factor enrollment policy rule that prompts new users to enroll in a factor the first time they sign in to their org

  1. In the Admin Console, go to SecurityMultifactor.
  2. Click Factor Enrollment.
  3. Choose one of the active policy rules in the list and click Edit. The Edit Rule dialog appears.
  4. Under the condition THEN Enroll in multi-factor, select the first time a user signs in.
  5. Click Update Rule.

Related topics

HealthInsight tasks and recommendations

Network zones

Configure Okta ThreatInsight

Sign-on notifications for end users

Password changed notification for end users

Factor enrollment notifications for end users

Factor reset notifications for end users

Administrators

General Security