Set required factors for MFA enrollment policies

Enabling at least one required factor for your org ensures that end users assigned to a given policy are enrolled in MFA.

Once a required factor is set, you can also update your sign-on policy to prompt users to enroll in the factor the next time they sign in.

 

HealthInsight: Why is this task recommended?


This feature is a HealthInsight security task. For more security recommendations from Okta, see HealthInsight.

Set require factors to ensure that end users assigned to a given policy are enrolled in multifactor authentication.

Security impact: Low

End-user impact: High

Okta recommends: Require at least one factor in every MFA enrollment policy.

 

End-user experience and impact


If a factor is set to required as part of the MFA enrollment policy, end users must enroll in the factor before they can sign in to their org. Setup varies depending on the factor specified.

 

Procedure


 

Set a required factor in an MFA enrollment policy

  1. From the admin console menu, click Security > Multifactor. The Factor Types page is displayed.
  2. Click Factor Enrollment to switch to factor enrollment policies and rules.
  3. Select a policy and click Edit to modify it.
  4. From the list of eligible factors, set at least one factor to Required.

    Setting a required factor in an MFA enrollment policy.

  5. Click Update Policy to save changes to your Factor Enrollment policy.

 

To prompt an end user to enroll in a required factor, you may do one of the following:

  • Set a sign-on policy rule that prompts a user for factor enrollment.
  • Set a factor enrollment policy rule that allows a user to enroll in a factor when challenged for MFA.

or

  • Set a factor enrollment policy rule that prompts the user to enroll in a factor the first time they sign in to their org.

 

Set a sign-on policy rule that prompts for factor enrollment

  1. From the admin console menu, click Security > Authentication. The Authentication policies page is displayed.
  2. Click Sign On to access Sign-On Policies.
  3. Select the policy and from the list of associated rules, click Edit to start modifying an existing policy rule. You can also create a new rule.
  4. From the Edit Rule window, select Prompt for Factor.

    Updating the sign-on policy to prompt end users to enroll in a factor at sign in.

  5. Click Update Rule to continue.

 

Set a factor enrollment policy rule that allows a user to enroll in a factor when challenged for MFA

  1. From the admin console menu, click Security > Multifactor.
  2. Click Factor Enrollment.
  3. Choose one of the active policy rules in the list and click Edit. The Edit Rule window is displayed.
  4. Under the condition THEN Enroll in multi-factor, select the first time a user is challenged for MFA.
  5. Click Update Rule to save your changes.

 

Set a factor enrollment policy rule that prompts a new user to enroll in a factor the first time they sign in to their org.

  1. From the admin console menu, click Security > Multifactor.
  2. Click Factor Enrollment.
  3. Choose one of the active policy rules in the list and click Edit. The Edit Rule window is displayed.
  4. Under the condition THEN Enroll in multi-factor, select the first time a user signs in.
  5. Click Update Rule to save your changes.

 

Related topics