MFA enrollment policy

After you upgrade to Identity Engine, learn about the changes to MFA enrollment policies.

Change summary
  • Classic Engine: If the Email, SMS, or Voice Call factor are disabled in a multifactor authentication (MFA) enrollment policy, users aren't able to enroll in these factors even if they’re configured as self-service recovery options in a password policy.

  • Identity Engine: The MFA enrollment policy is called the authentication enrollment policy. If the Email, Phone, or Security Question authenticator is disabled in an authentication enrollment policy, users are able to enroll in these authenticators even if they’re configured as required for recovery in a password policy rule.

Admin experience If an admin selects the Email or Phone authenticator as recovery methods for their users, or the Security Question authenticator for additional verification, Okta prompts users to enroll in these authenticators even if they’re disabled in the authentication enrollment policy.
User experience n/a
Related topics

About authentication enrollment policies and rules