Security Question (MFA)

The Security Question factor prompts end users to enter a correct response to a question that they've selected from a list of possible questions.

The Security Question factor:

This factor supports authentication (MFA/SSO) and user password recovery when enabled for these scenarios. If you disable this factor for MFA/SSO, the Okta sign-on policy doesn't evaluate it.

Okta recommends against using security questions in any authentication flow.

Add Security Question as a factor

  1. In the Admin Console, go to SecurityMultifactor.
  2. On the Factor Types tab, click Security Question.
  3. Click Inactive, then select Activate.
  4. Configure an MFA enrollment policy. See Configure an MFA enrollment policy for instructions.

Disable the Security Question factor

Before you can disable the Security Question factor, you must remove it from any MFA enrollment policy or self-service password reset policy in which it appears.

  1. In the Admin Console, go to SecurityMultifactor.
  2. Select the Factor Enrollment tab, and select a policy in which the Security Question factor appears.
  3. Click Edit.
  4. For the Security Question factor, select Disabled from the dropdown.
  5. Click Update policy.

End-user experience

When users sign in after you enable this factor, they see the Extra verification is required for your account page. They must perform the following steps:

  1. In the Okta End-User Dashboard, click your name and select Settings.
  2. In the Extra Verification section, click Set up beside Security Question. You might need to authenticate again.
  3. On the Set up multifactor authentication page, click Setup.
  4. Select a question from the dropdown, and enter the answer in the Answer field.
  5. Click Save.

The next time the user signs in, they might be prompted to answer their security question, depending on the requirements their admin has configured in sign-on policies.


All the following guidelines are required for security questions:

  • The answer to a security question must be at least four characters long. You can also specify a longer length for recovery flows in a Group Password Policy.
  • The answer to a security question can't be the user's password or username.
  • The answer to the security question can't be included in the question.

Related topics

Configure an app sign-on policy

Configure an MFA enrollment policy

Configure a password policy

Configure an Okta sign-on policy