Set required factors for MFA enrollment policies

Enabling at least one required factor for your orgThe Okta container that represents a real-world organization. ensures that end usersIn Okta literature, we generally refer to "end users" as the people who have their own Okta home page (My Applications), using apps to authenticate into all of their apps. End users do not have any administrative control. When we refer to "users" we are generally referring to the individual(s) who have administrative control. assigned to a given policy are enrolled in MFA.

Once a required factor is set, you can also update your sign-on policy to prompt users to enroll in the factor the next time they sign in.

 

HealthInsight: Why is this task recommended?


This a HealthInsight security task. For more security recommendations from Okta, see HealthInsight.

Set require factors to ensure that end users assigned to a given policy are enrolled in multifactor authentication.

Security impact: Low

End-user impact: High

Okta recommends: Require at least one factor in every MFA enrollment policy.

 

End-user experience and impact


If a factor is set to required as part of the MFA enrollment policy, end users must enroll in the factor before they can sign in to their org. Setup varies depending on the factor specified.

 

Procedure


 

Set a required factor in an MFA enrollment policy

  1. From the adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. console menu, click Security > Multifactor. The Factor Types page is displayed.
  2. Click Factor Enrollment to switch to factor enrollment policies and rules.
  3. Select a policy and click Edit to modify it.
  4. From the list of eligible factors, set at least one factor to Required.

    Setting a required factor in an MFA enrollment policy.

  5. Click Update Policy to save changes to your Factor Enrollment policy.

 

To prompt an end user to enroll in a required factor, you may do one of the following:

  • Set a sign-on policy rule that prompts a user for factor enrollment.
  • Set a factor enrollment policy rule that allows a user to enroll in a factor when challenged for MFA.

or

  • Set a factor enrollment policy rule that prompts the user to enroll in a factor the first time they sign in to their org.

 

Set a sign-on policy rule that prompts for factor enrollment

  1. From the admin console menu, click Security > AuthenticationAuthentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual. Authentication methods and protocols include direct auth, delegated auth, SAML, SWA, WS-Fed, and OpenID Connect.. The Authentication policies page is displayed.
  2. Click Sign On to access Sign-On Policies.
  3. Select the policy and from the list of associated rules, click Edit to start modifying an existing policy rule. You can also create a new rule.
  4. From the Edit Rule window, select Prompt for Factor.

    Updating the sign-on policy to prompt end users to enroll in a factor at sign in.

  5. Click Update Rule to continue.

 

Set a factor enrollment policy rule that allows a user to enroll in a factor when challenged for MFA

  1. From the admin console menu, click Security > Multifactor.
  2. Click Factor Enrollment.
  3. Choose one of the active policy rules in the list and click Edit. The Edit Rule window is displayed.
  4. Under the condition THEN Enroll in multi-factor, select the first time a user is challenged for MFA.
  5. Click Update Rule to save your changes.

 

Set a factor enrollment policy rule that prompts a new user to enroll in a factor the first time they sign in to their org.

  1. From the admin console menu, click Security > Multifactor.
  2. Click Factor Enrollment.
  3. Choose one of the active policy rules in the list and click Edit. The Edit Rule window is displayed.
  4. Under the condition THEN Enroll in multi-factor, select the first time a user signs in.
  5. Click Update Rule to save your changes.

 

Related topics


 

 

 

Top