MFA enrollment policy
Learn how the MFA enrollment policy changes after the upgrade.
|The MFA enrollment policy is now called the authenticator enrollment policy.
These considerations apply to account recovery scenarios:
The phone authenticator has two methods: SMS and voice call. The user must enroll the phone authenticator when you make either (or both) methods available.
Even though SMS and voice are both methods of the phone authenticator, they appear separately in a policy. Users must enroll in the phone authenticator if you use either method.
If you select email or phone as recovery methods for your users, or security question for additional verification, Okta prompts users to enroll in these authenticators even if they’re disabled in the authentication enrollment policy.
You can make email an optional authenticator. See Make email an optional authenticator.
If you have an MFA enrollment policy on Classic Engine that enrolls a user group only in Okta Verify Time-based one-time password (TOTP), this group is enrolled in both TOTP and Push after upgrade. On Identity Engine, authenticator enrollment policies that require Okta Verify automatically trigger enrollment in any verification options that you configure in .
If single sign-on isn't enabled for self-service password reset (SSPR), authenticators that appear in these policies don't appear in authenticator enrollment policies.
When the email, security question, or phone authenticators are required for SSPR, the enrollment requirement differs:
The actions to enroll on first challenge and enroll for sign-in flows are no longer differentiated actions. If a user is missing a required authenticator, they're prompted to enroll in the required authenticators when they sign in to any app.
Users are prompted to enroll in all authenticators that their admin has set as required when they sign in to Okta.
Users are prompted to enroll in all authenticators that an app's authentication policy requires when they access the app.
If an app requires MFA with a possession factor type, users are prompted to enroll in such authenticators when they access these apps. If these authenticators are optional in an authenticator enrollment policy, they're still prompted to enroll. See Multifactor authentication.
At first-time account setup, users must enroll in all authenticators required by the authenticator enrollment and self-service recovery policies. During first-time account setup, Okta evaluates both of these policies at the same time. During subsequent sign-in events, Okta applies regular processing rules. Okta no longer pools authenticators between these policies.
The password authenticator is configurable and always required except when the passwordless sign-in experience is enabled, or when the user authenticates with social authentication or inbound federation.
|Users enrolled only in Okta Verify TOTP on Classic Engine are enrolled in both Okta Verify TOTP and Push after they upgrade their Okta Verify account to Identity Engine.
|Authenticator enrollment policy