Set required authenticators for MFA enrollment policies

Enabling at least one required authenticator for your org ensures that end users assigned to a given policy are enrolled in MFA.

Once a required authenticator is set, you can also update your sign-on policy to prompt users to enroll in the authenticator the next time they sign in.

HealthInsight task recommendation

Set require authenticators to ensure that end users assigned to a given policy are enrolled in authenticators.

Okta recommends

Require at least one authenticator in every MFA enrollment policy.

Security impact


End-user impact


If an authenticator is set to required as part of the MFA enrollment policy, end users must enroll in the authenticator before they can sign in to their org. Setup varies depending on the authenticator specified.

Set a required authenticator in an MFA enrollment policy

  1. In the Admin Console, go to Security > Authenticators.

  2. Click the Enrollment tab.

  3. Select a policy and click Edit to modify it.
  4. From the list of Effective authenticators, set at least one factor to Required.
  5. Click Update Policy to save changes to your MFA enrollment policy.

Set an enrollment policy rule that allows a user to enroll in an authenticator when prompted

  1. From the Admin Console menu, click Security > Authenticators.
  2. Click Enrollment.
  3. Choose one of the active policy rules in the list and click Edit. The Edit Rule window is displayed.
  4. Under the condition THEN Enrollment is, select Allow if required authenticators are missing.
  5. Click Update Rule to save your changes.

Set a sign-on policy rule that prompts for authenticators

  1. From the Admin Console menu, click Security > Okta Sign-on Policy.
  2. Select the policy to which you want to add rules.

  3. Select an existing rule and click Edit.

  4. In Then Access is: Based on the authentication form of the previous drop-down menu, use this one to establish whether the condition allows or denies access.
  5. In Prompt for Factor: Select Password / IDP or Password / IDP / any factor allowed by app sign on rules. To set up passwordless authentication, see Set up passwordless sign-in experience.
  6. Click Update Rule.

See Add a global session policy rule.

Related topics

HealthInsight tasks and recommendations

Network zones

Configure Okta ThreatInsight

Password changed notification for end users

Authenticator enrollment notifications for end users

Authenticator reset notifications for end users

General Security