MFA requirements

This security task appears when users select the following settings on the Global Session Policy Add Rule or Edit Rule page:

Option Setting
Behavior is New Device
Users will be prompted for MFA

When signing in with a new device cookie or After MFA lifetime expires for the device cookie

This combination creates a mismatch between the policy's condition and its action.

This security task helps users ensure that:

  • The MFA requirements configured by the admin aren’t in conflict with Okta’s Behavior Detection functionality. See About Behavior Detection.
  • The MFA policy rule isn’t bypassed unintentionally.

When users select this security task, recommendations appear for correcting the configuration.

HealthInsight task recommendation

Set require factors to ensure that end users assigned to a given policy are enrolled in multifactor authentication.

Okta recommends

Select At every sign in for the Users will be prompted for MFA option on the Global Session Policy Add Rule or Edit Rule page. See Add a global session policy rule for instructions.

Security impact


End-user impact


Related topics

HealthInsight tasks and recommendations

Configure Okta ThreatInsight

Multifactor authentication

General Security