Enable strong MFA factors in factor enrollment policies

An Okta adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. can configure MFA at the organization level or application level. When MFA is enabled for either, end usersIn Okta literature, we generally refer to "end users" as the people who have their own Okta home page (My Applications), using apps to authenticate into all of their apps. End users do not have any administrative control. When we refer to "users" we are generally referring to the individual(s) who have administrative control. are prompted to confirm their credentials with factors both when signing in to Okta and when accessing an application. Strong factors have better resistance to phishing and man-in-the-middle attacks.


HealthInsight: Why is this task recommended?

This a HealthInsight security task. For more security recommendations from Okta, see HealthInsight.

Enable strong MFA factors to improve resistance to phishing and man-in-the-middle attacks.

Security impact: Moderate

End-user impact: High

Okta recommends: Update factor enrollment policies based on the following:

  • Security Questions: Do not use as a second factor.
  • SMS/Email/Voice: Avoid using as a second factor.


End-user experience and impact

When signing in to their org, end users will be prompted to enroll in required factors and may enroll in any factors set to optional. Factors that have been disabled are not visible to end users.



To enable strong factors for factor enrollment:

  1. From the admin console, navigate to Security > Multifactor.
  2. Click Factor Enrollment.
  3. Click Edit to modify the enrollment policy of your choice.
  4. Set the factor of your choice to Required, Optional, or Disabled.

    Blacklisting an IP zone from the admin console.

Note: The factor must be disabled in all factor enrollment policies before the factor type can be deactivated from the Factor Type tab.


Related topics