Authenticator enrollment policies
Authenticator enrollment policies let you manage how and when your end users enroll authenticators. The policy lets you select from the eligible authenticators and make them required, optional, or disabled for enrollment.
You can create policies for specific authenticators, and then customize those policies for different user groups. The rules you add to a policy determine the situations when the policy applies. For example, allow authenticator enrollment for users accessing certain apps, or deny enrollment if users access Okta from certain locations.
Okta may prompt users to enroll more authenticators if the global session policy, authentication policy, or password policy require them.
Grace periods
Early Access release. See Enable self-service features.
Grace periods let you designate an amount of time for a user to enroll in a required authenticator. They're configured on a per-authenticator basis so you can minimize sign-in friction and streamline the onboarding process.
When you configure a grace period for a required authenticator, the user may postpone enrollment until the grace period ends. At that point, the option to continue without enrolling is hidden. If you want users to enroll in an authenticator immediately, you don't have to set a grace period.