MFA enrollment policy

These considerations apply to account recovery scenarios:

• Email and security question authenticators are required if they're configured in the password policy rules for recovery.
• Email is auto-enrolled, so users don't need to enroll manually.
• Phone is optional.
• Okta prompts users to enroll in these authenticators when they're required for recovery, even if they're disabled in an authenticator enrollment policy.

The phone authenticator has two methods: SMS and voice call. The user must enroll the phone authenticator when you make either (or both) methods available.

Even though SMS and voice are both methods of the phone authenticator, they appear separately in a policy. Users must enroll in the phone authenticator if you use either method.

If you select email or phone as recovery methods for your users, or security question for additional verification, Okta prompts users to enroll in these authenticators even if they’re disabled in the authentication enrollment policy.

You can make email an optional authenticator. See Make email an optional authenticator.

If you have an MFA enrollment policy on Classic Engine that enrolls a user group only in Okta Verify Time-based one-time password (TOTP), this group is enrolled in both TOTP and Push after upgrade. On Identity Engine, authenticator enrollment policies that require Okta Verify automatically trigger enrollment in any verification options that you configure in Security Authenticators Okta Verify.

If single sign-on isn't enabled for self-service password reset (SSPR), authenticators that appear in these policies don't appear in authenticator enrollment policies.

When the email, security question, or phone authenticators are required for SSPR, the enrollment requirement differs:

• Email or Security Question: Users must enroll in these authenticators.
• Phone: Users may choose whether to enroll in this authenticator.

The actions to enroll on first challenge and enroll for sign-in flows are no longer differentiated actions. If a user is missing a required authenticator, they're prompted to enroll in the required authenticators when they sign in to any app.

Users are prompted to enroll in all authenticators that their admin has set as required when they sign in to Okta.

Users are prompted to enroll in all authenticators that an app's authentication policy requires when they access the app.

If an app requires MFA with a possession factor type, users are prompted to enroll in such authenticators when they access these apps. If these authenticators are optional in an authenticator enrollment policy, they're still prompted to enroll. See Multifactor authentication.

At first-time account setup, users must enroll in all authenticators required by the authenticator enrollment and self-service recovery policies. During first-time account setup, Okta evaluates both of these policies at the same time. During subsequent sign-in events, Okta applies regular processing rules. Okta no longer pools authenticators between these policies.

The password authenticator is configurable and always required except when the passwordless sign-in experience is enabled, or when the user authenticates with social authentication or inbound federation.